AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The sensitive behavior is an explicitly invoked Agent Gateway CLI that wires Claude project settings and stores gateway config/secrets for its own service.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `agw` commands such as `agw init`, `agw login`, `agw target`, or `agw doctor`.
Impact
Project Claude traffic can be routed through the configured Bitagent gateway after explicit CLI setup; no install-time or covert mutation found.
Mechanism
user-invoked gateway configuration and API client
Rationale
The scanner's agent-control and persistence signals are explained by documented, user-invoked gateway setup, not npm lifecycle delivery or hidden control-surface hijacking. Source inspection found no exfiltration, destructive behavior, remote payload loading, or unconsented install/import-time execution.
Evidence
package.jsonREADME.mddist/main.js.claude/settings.local.json.agw.json~/.agw/config.json~/.agw/auth-token~/.agw/sessions/*~/.claude-gateway/config.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/main.js user-invoked `agw init` writes `.claude/settings.local.json` with `ANTHROPIC_BASE_URL` and `x-gateway-credential`.
- dist/main.js stores targets/sessions under `~/.agw/` and migrates legacy `~/.claude-gateway` config on CLI run.
- dist/main.js can open a browser for login and runs `git` only for root/gitignore checks.
Evidence against
- package.json has no npm lifecycle hooks; only bin `agw` points to `dist/main.js`.
- README.md documents `agw init` writing `.claude/settings.local.json`; this is the package's stated gateway setup behavior.
- No install-time execution, no hidden persistence, no destructive file operations, and no broad credential harvesting found.
- Network calls are to configured gateway APIs plus package-aligned defaults and npm dist-tags version check.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/main.jsView file
22124patternName = generic_password
severity = medium
line = 22124
matchedText = if (!fro...t) {
Medium
70const here = dirname(fileURLToPath(import.meta.url));
L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0";
L72: } catch {
...
L386: function defaultTarget(host, port) {
L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` };
L388: }
...
L457: ensureLegacyMigration();
L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"];
L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"];
...
L470: flagTarget: strFlag(args.flags["target"]),
L471: cwd: process.cwd(),
L472: defaultHost: host,
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/main.jsView on unpkg · L70Findings
4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License