registry  /  @the-next-ai/ai-gateway  /  1.0.3

@the-next-ai/ai-gateway@1.0.3

TypeScript Fastify AI protocol gateway for OpenAI, Anthropic, Gemini, MCP and agent workflows.

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are runtime features of an AI/MCP gateway and require explicit configuration or authenticated/user API actions.

Static reason
One or more suspicious static signals were detected.
Trigger
Running the CLI/server and enabling configured gateway, manager, MCP, webhook, raw trace, or code-tool features.
Impact
Can contact configured upstreams and write configured local state when operators enable those features; no covert exfiltration or install-time execution found.
Mechanism
Configurable AI gateway proxy, MCP client/server, event sinks, and sandboxed user code execution.
Rationale
Static inspection shows a feature-rich Fastify AI gateway with configurable network, stdio, and sandboxed tool execution, but the suspicious primitives are package-aligned and user/operator-invoked. There is no lifecycle hook, hidden payload, credential exfiltration path, destructive action, or unconsented agent control mutation.
Evidence
package.jsonbin/next-ai-gateway.jsdist/index.jsdist/index.js.mapgateway.config.compose.jsongateway.config.jsonagent storage filesraw trace spool filestemporary gateway-code-tool-deno-sandbox-* directories
Network endpoints6
api.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comauth.openai.com/oauth/tokenchatgpt.com/backend-api/codexws://toolhub:3100/mcp/ws

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js.map: ../src/agent/tools.ts can spawn configured MCP stdio servers and a Deno sandbox for user-requested code_tool.runCode.
  • dist/index.js.map: ../src/external-json-source.ts, external-config.ts, external-event-sink.ts support configured HTTP/WebSocket/gRPC/stdio integrations.
  • dist/index.js.map: ../src/manager/routes.ts can write gateway.config.json via authenticated manager API.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hooks.
  • bin/next-ai-gateway.js only requires dist/index.js to start the gateway CLI/server.
  • Network endpoints are AI-gateway aligned: OpenAI, Anthropic, Gemini, ChatGPT Codex OAuth, configured webhooks/MCP sources.
  • Deno code execution uses --deny-env, --deny-net, --deny-read, --deny-write, --deny-run, --deny-ffi, --deny-sys.
  • No credential harvesting, persistence, destructive behavior, or unconsented AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 545 KB of source, external domains: api.anthropic.com, api.openai.com, auth.openai.com, chatgpt.com, gateway.local, generativelanguage.googleapis.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
6`);return e.write(` L7: `),!0}catch{return!1}}function Yh(e){return _c.includes(e)}function H(e,n){return e.code(400).send({error:{message:n}})}function yn(e){return e.code(405).send({error:{message:Kh}})... L8: `)})}function oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function Gc(e,n){let t=e.trim();if(!t)...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6
1"use strict";var uh=Object.create;var ac=Object.defineProperty;var dh=Object.getOwnPropertyDescriptor;var ch=Object.getOwnPropertyNames;var lh=Object.getPrototypeOf,fh=Object.proto... L2: `)}function sn(e,n){let t=e[n.toLowerCase()],r=S(typeof t=="string"||Array.isArray(t)?t:void 0);return r&&r.trim()||void 0}function Sh(e){return js(e)&&js(e.data)?e.data:e}function... ... L6: `);return e.write(` L7: `),!0}catch{return!1}}function Yh(e){return _c.includes(e)}function H(e,n){return e.code(400).send({error:{message:n}})}function yn(e){return e.code(405).send({error:{message:Kh}})... L8: `)})}function oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function Gc(e,n){let t=e.trim();if(!t)...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1"use strict";var uh=Object.create;var ac=Object.defineProperty;var dh=Object.getOwnPropertyDescriptor;var ch=Object.getOwnPropertyNames;var lh=Object.getPrototypeOf,fh=Object.proto... L2: `)}function sn(e,n){let t=e[n.toLowerCase()],r=S(typeof t=="string"||Array.isArray(t)?t:void 0);return r&&r.trim()||void 0}function Sh(e){return js(e)&&js(e.data)?e.data:e}function... ... L6: `);return e.write(` L7: `),!0}catch{return!1}}function Yh(e){return _c.includes(e)}function H(e,n){return e.code(400).send({error:{message:n}})}function yn(e){return e.code(405).send({error:{message:Kh}})... L8: `)})}function oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function Gc(e,n){let t=e.trim();if(!t)...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings