AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a gateway CLI that, when invoked, can wire Claude project settings and store gateway credentials locally as its documented core function.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw commands such as init, login, target, doctor, or completion.
Impact
Project settings and local gateway auth/cache files may be created or updated with user-selected gateway configuration.
Mechanism
user-invoked gateway configuration and API client
Rationale
The suspicious primitives are aligned with an Agent Gateway CLI: explicit commands configure endpoints, authenticate to the gateway, and wire Claude settings. There is no install-time execution or unconsented mutation/exfiltration path in the inspected source.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/*~/.agw/caps/*.json~/.claude-gateway/config.json.claude/settings.local.json.agw.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/main.js can write project .claude/settings.local.json and .agw.json during agw init.
- dist/main.js stores tokens/sessions/capability cache under ~/.agw and migrates ~/.claude-gateway config.
- dist/main.js contacts configured gateway endpoints and npm dist-tags during user-invoked commands.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Only bin entry is agw -> dist/main.js; behavior is CLI-triggered, not install-time.
- Network defaults are package-aligned: https://gateway.bitagent.dev, https://compat.bitagent.dev, npm registry version check.
- Credential handling is for gateway auth/login/init and local cache; no broad env/file harvesting or exfil path found.
- child_process use is limited to git root discovery and opening browser/completion helper flows.
- No prompt/reviewer manipulation, hidden payload, persistence service, destructive action, or dependency confusion found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22057patternName = generic_password
severity = medium
line = 22057
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License