AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a developer CLI for configuring Bitagent Gateway access, with network, token, and .claude settings writes tied to explicit CLI actions.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the agw CLI commands such as login, target, init, status, or doctor.
Impact
Can store gateway sessions/tokens and wire a project to a configured gateway endpoint when explicitly commanded; no install-time or hidden exfiltration found.
Mechanism
User-invoked gateway CLI configuration and API client
Rationale
Static source inspection found sensitive primitives, but they are consistent with an explicit gateway-management CLI and are not activated by npm lifecycle hooks or hidden import-time behavior. The .claude/settings.local.json mutation is performed by user-invoked setup commands to set ANTHROPIC_BASE_URL and a gateway credential, not by unconsented install-time execution.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/capabilities/<hash>.json~/.claude-gateway/config.json.agw.json.claude/settings.local.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has bin only and no install/preinstall/postinstall lifecycle hooks.
- dist/main.js default execution is a CLI dispatcher; help/version paths exit without setup mutation.
- dist/main.js reads AGW_* env vars and ~/.agw auth/session files to configure user-requested gateway calls.
- dist/main.js network calls target configured gateway URLs plus built-in https://gateway.bitagent.dev, https://compat.bitagent.dev, and an npm latest-version check.
- dist/main.js writes ~/.agw config/cache/session files and project .agw.json/.claude/settings.local.json only through CLI commands such as target/login/init.
- dist/main.js child_process use is package-aligned: git root discovery and opening browser for login.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22057patternName = generic_password
severity = medium
line = 22057
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License