registry  /  bitspark-agw  /  0.16.47

bitspark-agw@0.16.47

Agent Gateway CLI — set up and manage your project's connection to the Bitagent Gateway.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI for configuring a Bitagent Gateway and writing Claude-compatible project settings when the user runs explicit commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes agw commands such as init, target, login, status, doctor, env, or key rotate.
Impact
Configures local gateway targets/sessions and project Claude settings for the intended integration.
Mechanism
user-invoked gateway management CLI
Rationale
The suspicious primitives are package-aligned: user-invoked CLI commands manage gateway targets, sessions, credentials, and documented Claude settings wiring. There are no lifecycle hooks, stealth execution, unrelated exfiltration, persistence writes, or unconsented AI-agent control-surface mutation found by source inspection.
Evidence
package.jsonREADME.mddist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json.agw.json.claude/settings.local.json
Network endpoints4
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tagsuser-configured adminUrl/compatUrl

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • CLI can write project .claude/settings.local.json with ANTHROPIC_BASE_URL and x-gateway-credential on explicit agw init/key rotate.
  • Reads/stores auth tokens and sessions under ~/.agw, and supports email/password/device login.
  • Uses child_process for git root/check-ignore and opening browser; completion text mentions shell profile persistence only as user instructions.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin only maps agw to dist/main.js.
  • README documents the .claude/settings.local.json wiring and ~/.agw storage as core CLI behavior.
  • Network calls are to configured gateway admin/compat URLs and default https://gateway.bitagent.dev / https://compat.bitagent.dev; npm registry fetch is version check.
  • No import-time execution beyond bundled definitions; actions are command-dispatched from the CLI.
  • No credential harvesting/exfiltration found; credentials are user-provided or minted via gateway and stored for package function.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.06 MB of source, external domains: compat.bitagent.dev, gateway.bitagent.dev, json-schema.org, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/main.jsView file
22057patternName = generic_password severity = medium line = 22057 matchedText = if (!fro...t) {
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/main.jsView on unpkg · L22057
70const here = dirname(fileURLToPath(import.meta.url)); L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0"; L72: } catch { ... L386: function defaultTarget(host, port) { L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` }; L388: } ... L457: ensureLegacyMigration(); L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"]; L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"]; ... L470: flagTarget: strFlag(args.flags["target"]), L471: cwd: process.cwd(), L472: defaultHost: host,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/main.jsView on unpkg · L70

Findings

4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License