registry  /  bitspark-agw  /  0.16.52

bitspark-agw@0.16.52

Agent Gateway CLI — set up and manage your project's connection to the Bitagent Gateway.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The suspicious primitives are package-aligned CLI behavior for configuring a Bitagent Gateway and wiring Claude settings when the user invokes agw init.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw CLI commands such as init, target, login, status, doctor, or completion.
Impact
User-requested local gateway configuration and credential wiring; no unconsented lifecycle execution or exfiltration found.
Mechanism
documented gateway management CLI with local config writes and API requests
Rationale
Static inspection shows a documented CLI that contacts configured Bitagent Gateway APIs and writes local config only during user-invoked commands. There are no lifecycle hooks, hidden payloads, credential harvesting, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json~/.agw/.legacy-migrated~/.claude-gateway/config.json.agw.json.claude/settings.local.json
Network endpoints5
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tagsconfigured adminUrlconfigured compatUrl

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin agw points to dist/main.js.
    • dist/main.js only runs main() as CLI entrypoint; no import-time install persistence beyond CLI execution.
    • dist/main.js writes ~/.agw config/session/caps and project .agw.json/.claude/settings.local.json for documented agw target/init/key commands.
    • Network calls use configured gateway URLs plus https://gateway.bitagent.dev, https://compat.bitagent.dev, and npm dist-tags check for the CLI itself.
    • child_process usage is limited to git root discovery and opening a browser for login; shell completion text mentions .bashrc/.zshrc but does not modify them.
    • README documents agw init writing .claude/settings.local.json and ~/.agw configuration behavior.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 1.06 MB of source, external domains: compat.bitagent.dev, gateway.bitagent.dev, json-schema.org, registry.npmjs.org

    Source & flagged code

    2 flagged · loading source
    dist/main.jsView file
    22096patternName = generic_password severity = medium line = 22096 matchedText = if (!fro...t) {
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/main.jsView on unpkg · L22096
    70const here = dirname(fileURLToPath(import.meta.url)); L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0"; L72: } catch { ... L386: function defaultTarget(host, port) { L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` }; L388: } ... L457: ensureLegacyMigration(); L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"]; L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"]; ... L470: flagTarget: strFlag(args.flags["target"]), L471: cwd: process.cwd(), L472: defaultHost: host,
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/main.jsView on unpkg · L70

    Findings

    4 Medium5 Low
    MediumSecret Patterndist/main.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/main.js
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License