registry  /  bitspark-agw  /  0.16.51

bitspark-agw@0.16.51

Agent Gateway CLI — set up and manage your project's connection to the Bitagent Gateway.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked Agent Gateway CLI that configures local gateway credentials and talks to gateway APIs.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw commands such as init, login, target, doctor, runs, or key rotate.
Impact
Writes local gateway/Claude settings when requested and sends credentials to configured gateway endpoints.
Mechanism
CLI configuration, authentication, and gateway API client
Rationale
Static inspection shows suspicious primitives are package-aligned and user-invoked: gateway networking, local credential/session storage, browser opening, and Claude settings wiring are documented CLI functions. No lifecycle execution, credential harvesting/exfiltration, persistence abuse, destructive behavior, staged payload, or unconsented AI-agent control mutation was found.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json~/.claude-gateway/config.json.claude/settings.local.json.agw.json
Network endpoints4
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tagsuser-supplied --admin-url/--compat-url/--base-url

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only bin agw -> dist/main.js.
    • dist/main.js executes CLI main only from argv; no import-time hidden payload beyond normal command dispatch.
    • Network calls go to configured gateway admin/compat URLs or npm dist-tags for update check, matching Agent Gateway CLI purpose.
    • Credential/session reads and writes are local CLI state: ~/.agw, .claude/settings.local.json, and .agw.json during user-invoked commands.
    • child_process use is limited to git root discovery and opening browser/completion UX; no arbitrary downloaded execution observed.
    • Claude settings mutation is documented agw init/unlink/key rotate behavior, not lifecycle or unconsented control-surface hijack.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 1.06 MB of source, external domains: compat.bitagent.dev, gateway.bitagent.dev, json-schema.org, registry.npmjs.org

    Source & flagged code

    2 flagged · loading source
    dist/main.jsView file
    22096patternName = generic_password severity = medium line = 22096 matchedText = if (!fro...t) {
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/main.jsView on unpkg · L22096
    70const here = dirname(fileURLToPath(import.meta.url)); L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0"; L72: } catch { ... L386: function defaultTarget(host, port) { L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` }; L388: } ... L457: ensureLegacyMigration(); L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"]; L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"]; ... L470: flagTarget: strFlag(args.flags["target"]), L471: cwd: process.cwd(), L472: defaultHost: host,
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/main.jsView on unpkg · L70

    Findings

    4 Medium5 Low
    MediumSecret Patterndist/main.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/main.js
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License