registry  /  @the-next-ai/ai-gateway  /  1.0.4

@the-next-ai/ai-gateway@1.0.4

TypeScript Fastify AI protocol gateway for OpenAI, Anthropic, Gemini, MCP and agent workflows.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs next-ai-gateway or node dist/index.js and enables/configures gateway, agent, MCP, webhook, raw trace, or manager features.
Impact
Could execute configured local commands or agent-requested sandbox code and forward request/trace/event data to configured endpoints; no unconsented attack behavior confirmed.
Mechanism
runtime AI gateway proxy, configured subprocess transports, and sandboxed agent code tool
Policy narrative
If an operator runs the gateway and configures stdio transports, MCP servers, manager writes, raw tracing, or agent code tools, the service can spawn configured commands, write runtime state/config/trace files, and relay data to configured HTTP/WebSocket/gRPC endpoints. The package does not perform these actions during npm install and the reviewed execution paths are aligned with an AI gateway product rather than hidden malware.
Rationale
Static source inspection confirms significant runtime dual-use capability, including configured subprocess transports and a sandboxed code execution tool, but no install-time hook, foreign AI-agent control-surface mutation, hardcoded exfiltration, persistence, or credential harvesting. Warn-level treatment is appropriate for dangerous agent/gateway capability content rather than a publish block.
Evidence
package.jsonbin/next-ai-gateway.jsdist/index.jsdist/index.js.mapdocs/usage.mdgateway.config.json.agent-dataraw trace spool directory
Network endpoints5
api.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comauth.openai.com/oauth/tokenchatgpt.com/backend-api/codex

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js starts a Fastify gateway on CLI/runtime import via bin/next-ai-gateway.js.
  • dist/index.js.map source shows user/config-driven child_process spawn for stdio external JSON, MCP servers, and event sinks.
  • dist/index.js.map exposes agent code_tool.runCode, spawning deno for agent-supplied code, but with --deny-env/net/read/write/run and temp cleanup.
  • Manager/raw-trace/file-store code can write gateway.config.json, .agent-data, and raw trace spool only during configured runtime/API use.
Evidence against
  • package.json has no install/postinstall lifecycle scripts.
  • bin/next-ai-gateway.js only requires dist/index.js; no install-time execution or home/agent config mutation found.
  • Network calls are package-aligned AI gateway behavior: provider APIs, configured webhooks/external sources, OAuth token refresh, MCP WebSocket.
  • No evidence of credential harvesting, hardcoded exfiltration endpoint, persistence, destructive actions, or prompt/reviewer manipulation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 583 KB of source, external domains: api.anthropic.com, api.openai.com, auth.openai.com, chatgpt.com, gateway.local, generativelanguage.googleapis.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
6`);return e.write(` L7: `),!0}catch{return!1}}function zw(e){return tl.includes(e)}function K(e,n){return e.code(400).send({error:{message:n}})}function kn(e){return e.code(405).send({error:{message:Dw}})... L8: `)})}function Oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function ml(e,n){let t=e.trim();if(!t)...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6
1"use strict";var rw=Object.create;var Fc=Object.defineProperty;var ow=Object.getOwnPropertyDescriptor;var iw=Object.getOwnPropertyNames;var sw=Object.getPrototypeOf,aw=Object.proto... L2: `)}function dn(e,n){let t=e[n.toLowerCase()],r=S(typeof t=="string"||Array.isArray(t)?t:void 0);return r&&r.trim()||void 0}function vw(e){return va(e)&&va(e.data)?e.data:e}function... ... L6: `);return e.write(` L7: `),!0}catch{return!1}}function zw(e){return tl.includes(e)}function K(e,n){return e.code(400).send({error:{message:n}})}function kn(e){return e.code(405).send({error:{message:Dw}})... L8: `)})}function Oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function ml(e,n){let t=e.trim();if(!t)...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1"use strict";var rw=Object.create;var Fc=Object.defineProperty;var ow=Object.getOwnPropertyDescriptor;var iw=Object.getOwnPropertyNames;var sw=Object.getPrototypeOf,aw=Object.proto... L2: `)}function dn(e,n){let t=e[n.toLowerCase()],r=S(typeof t=="string"||Array.isArray(t)?t:void 0);return r&&r.trim()||void 0}function vw(e){return va(e)&&va(e.data)?e.data:e}function... ... L6: `);return e.write(` L7: `),!0}catch{return!1}}function zw(e){return tl.includes(e)}function K(e,n){return e.code(400).send({error:{message:n}})}function kn(e){return e.code(405).send({error:{message:Dw}})... L8: `)})}function Oa(e,n){let t={accept:"application/json",...e.headers};return n&&(t["content-type"]=n),e.apiKey&&(t[e.apiKeyHeader]=e.apiKey),t}function ml(e,n){let t=e.trim();if(!t)...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings