AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked Agent Gateway CLI that stores local gateway config and credentials and talks to Bitagent gateway APIs.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the agw CLI commands such as init, login, target, doctor, runs, or service-tokens.
Impact
Local gateway wiring and credential files may be created or updated as documented; no unconsented install-time or import-time behavior found.
Mechanism
User-directed CLI network/configuration operations
Rationale
Static inspection shows suspicious primitives are aligned with an interactive gateway-management CLI: no lifecycle hooks, no install-time execution, and .claude settings writes occur only through explicit user commands. The AI-agent control-surface mutation is consented project wiring, not hidden persistence or hijacking.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/<hash>~/.agw/caps/<hash>.json~/.claude-gateway/config.json.agw.json.claude/settings.local.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/main.js writes .claude/settings.local.json with ANTHROPIC_BASE_URL and x-gateway-credential, but only in explicit agw init/key rotate flows.
- dist/main.js reads ~/.agw/auth-token, sessions, caps and .claude/settings.local.json for CLI auth/config state.
- dist/main.js uses child_process execFileSync for git root/check-ignore and spawn only to open a browser for login.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bin is agw -> dist/main.js.
- Default network endpoints are package-aligned: https://gateway.bitagent.dev, https://compat.bitagent.dev, and npm dist-tags check in doctor.
- Network calls go through configured gateway API paths for auth, projects, runs, service tokens, capabilities, and are user-command driven.
- Legacy ~/.claude-gateway migration copies local target config into ~/.agw only on CLI execution, not install/import.
- No evidence of credential harvesting or exfiltration beyond user-configured gateway authentication and project credential management.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22106patternName = generic_password
severity = medium
line = 22106
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License