AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a documented Agent Gateway CLI whose network calls, local credential storage, and .claude/settings.local.json edits are aligned with explicit user commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw CLI commands such as target add/use, login, init, key rotate, status, doctor, or completion.
Impact
User-selected project wiring and local credential/session storage; no unconsented install-time execution found.
Mechanism
documented gateway CLI configuration and API client
Rationale
Static inspection shows suspicious primitives are package-aligned CLI behavior: documented gateway API access, local credential/config storage, browser login, completion output, and explicit project wiring. There are no lifecycle hooks, import-time payloads, hidden exfiltration, persistence writes, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/*~/.agw/caps/*.json~/.agw/.legacy-migrated~/.claude-gateway/config.json.agw.json.claude/settings.local.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/main.js writes project AI-agent config .claude/settings.local.json during user-invoked agw init/key rotate.
- dist/main.js stores gateway targets/session/caps under ~/.agw and migrates legacy ~/.claude-gateway config.
- dist/main.js uses child_process execFileSync for git root discovery and spawn only to open login URLs in a browser.
- dist/main.js contacts configured gateway APIs and npm registry for doctor/latest checks.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; published files only include dist/main.js.
- README.md documents the CLI purpose, network gateway management, and agw init writing .claude/settings.local.json.
- AI-agent config mutation is not lifecycle/import-time; it is activated by explicit CLI commands like agw init or key rotate.
- No evidence of credential harvesting/exfiltration beyond user-provided gateway URLs and documented Bitagent endpoints.
- Completion profile snippets are printed for user installation; no shell profile persistence is written automatically.
- Secret-like tokens are read/written as local CLI credentials with restrictive modes and masked in output.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22057patternName = generic_password
severity = medium
line = 22057
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License