AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The suspicious primitives are package-aligned CLI behavior for configuring a Bitagent Gateway and wiring Claude settings when the user invokes agw init.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs agw CLI commands such as init, target, login, status, doctor, or completion.
Impact
User-requested local gateway configuration and credential wiring; no unconsented lifecycle execution or exfiltration found.
Mechanism
documented gateway management CLI with local config writes and API requests
Rationale
Static inspection shows a documented CLI that contacts configured Bitagent Gateway APIs and writes local config only during user-invoked commands. There are no lifecycle hooks, hidden payloads, credential harvesting, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json~/.agw/.legacy-migrated~/.claude-gateway/config.json.agw.json.claude/settings.local.json
Network endpoints5
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tagsconfigured adminUrlconfigured compatUrl
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; bin agw points to dist/main.js.
- dist/main.js only runs main() as CLI entrypoint; no import-time install persistence beyond CLI execution.
- dist/main.js writes ~/.agw config/session/caps and project .agw.json/.claude/settings.local.json for documented agw target/init/key commands.
- Network calls use configured gateway URLs plus https://gateway.bitagent.dev, https://compat.bitagent.dev, and npm dist-tags check for the CLI itself.
- child_process usage is limited to git root discovery and opening a browser for login; shell completion text mentions .bashrc/.zshrc but does not modify them.
- README documents agw init writing .claude/settings.local.json and ~/.agw configuration behavior.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22096patternName = generic_password
severity = medium
line = 22096
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License