AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked Agent Gateway CLI that configures local gateway credentials and talks to gateway APIs.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw commands such as init, login, target, doctor, runs, or key rotate.
Impact
Writes local gateway/Claude settings when requested and sends credentials to configured gateway endpoints.
Mechanism
CLI configuration, authentication, and gateway API client
Rationale
Static inspection shows suspicious primitives are package-aligned and user-invoked: gateway networking, local credential/session storage, browser opening, and Claude settings wiring are documented CLI functions. No lifecycle execution, credential harvesting/exfiltration, persistence abuse, destructive behavior, staged payload, or unconsented AI-agent control mutation was found.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json~/.claude-gateway/config.json.claude/settings.local.json.agw.json
Network endpoints4
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tagsuser-supplied --admin-url/--compat-url/--base-url
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin agw -> dist/main.js.
- dist/main.js executes CLI main only from argv; no import-time hidden payload beyond normal command dispatch.
- Network calls go to configured gateway admin/compat URLs or npm dist-tags for update check, matching Agent Gateway CLI purpose.
- Credential/session reads and writes are local CLI state: ~/.agw, .claude/settings.local.json, and .agw.json during user-invoked commands.
- child_process use is limited to git root discovery and opening browser/completion UX; no arbitrary downloaded execution observed.
- Claude settings mutation is documented agw init/unlink/key rotate behavior, not lifecycle or unconsented control-surface hijack.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22096patternName = generic_password
severity = medium
line = 22096
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License