registry  /  bitspark-agw  /  0.16.48

bitspark-agw@0.16.48

Agent Gateway CLI — set up and manage your project's connection to the Bitagent Gateway.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a gateway CLI that, when invoked, can wire Claude project settings and store gateway credentials locally as its documented core function.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw commands such as init, login, target, doctor, or completion.
Impact
Project settings and local gateway auth/cache files may be created or updated with user-selected gateway configuration.
Mechanism
user-invoked gateway configuration and API client
Rationale
The suspicious primitives are aligned with an Agent Gateway CLI: explicit commands configure endpoints, authenticate to the gateway, and wire Claude settings. There is no install-time execution or unconsented mutation/exfiltration path in the inspected source.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/*~/.agw/caps/*.json~/.claude-gateway/config.json.claude/settings.local.json.agw.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/main.js can write project .claude/settings.local.json and .agw.json during agw init.
  • dist/main.js stores tokens/sessions/capability cache under ~/.agw and migrates ~/.claude-gateway config.
  • dist/main.js contacts configured gateway endpoints and npm dist-tags during user-invoked commands.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Only bin entry is agw -> dist/main.js; behavior is CLI-triggered, not install-time.
  • Network defaults are package-aligned: https://gateway.bitagent.dev, https://compat.bitagent.dev, npm registry version check.
  • Credential handling is for gateway auth/login/init and local cache; no broad env/file harvesting or exfil path found.
  • child_process use is limited to git root discovery and opening browser/completion helper flows.
  • No prompt/reviewer manipulation, hidden payload, persistence service, destructive action, or dependency confusion found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.06 MB of source, external domains: compat.bitagent.dev, gateway.bitagent.dev, json-schema.org, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/main.jsView file
22057patternName = generic_password severity = medium line = 22057 matchedText = if (!fro...t) {
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/main.jsView on unpkg · L22057
70const here = dirname(fileURLToPath(import.meta.url)); L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0"; L72: } catch { ... L386: function defaultTarget(host, port) { L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` }; L388: } ... L457: ensureLegacyMigration(); L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"]; L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"]; ... L470: flagTarget: strFlag(args.flags["target"]), L471: cwd: process.cwd(), L472: defaultHost: host,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/main.jsView on unpkg · L70

Findings

4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License