registry  /  bitspark-agw  /  0.16.55

bitspark-agw@0.16.55

Agent Gateway CLI — set up and manage your project's connection to the Bitagent Gateway.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `agw` commands such as `init`, `key rotate`, `target use`, `login`, or `doctor`.
Impact
Can redirect Claude-compatible traffic for a project to configured gateway endpoints and store project credentials locally when the user requests setup.
Mechanism
explicit CLI-managed gateway wiring and credential storage
Rationale
The package has real AI-agent config mutation capability, but it is an explicit gateway setup CLI with no install hooks or stealth execution. Treat as warn-level lifecycle/control-surface risk rather than malicious blocking behavior.
Evidence
package.jsondist/main.js~/.agw/config.json~/.agw/auth-token~/.agw/sessions/*~/.agw/caps/*.json.claude/settings.local.json.agw.json
Network endpoints3
gateway.bitagent.devcompat.bitagent.devregistry.npmjs.org/-/package/bitspark-agw/dist-tags

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/main.js has explicit `agw init`/`key rotate` paths that write `.claude/settings.local.json` with `ANTHROPIC_BASE_URL` and `x-gateway-credential`.
  • dist/main.js writes per-project `.agw.json` bindings and stores target/session/capability data under `~/.agw`.
  • dist/main.js performs gateway API calls and can mint/revoke project credentials/service tokens when invoked by CLI commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only `bin` maps `agw` to `dist/main.js`.
  • Agent config mutation is tied to explicit user commands such as `agw init`, `key rotate`, and `unlink`, not install-time execution.
  • Network endpoints are package-aligned Bitagent gateway/admin URLs plus npm version check; no unrelated exfiltration host found.
  • No obfuscated payload, eval/Function use, native binary loading, or remote code execution chain found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.06 MB of source, external domains: compat.bitagent.dev, gateway.bitagent.dev, json-schema.org, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/main.jsView file
22133patternName = generic_password severity = medium line = 22133 matchedText = if (!fro...t) {
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/main.jsView on unpkg · L22133
70const here = dirname(fileURLToPath(import.meta.url)); L71: return JSON.parse(readFileSync(join(here, "..", "..", "package.json"), "utf-8")).version ?? "0.0.0"; L72: } catch { ... L386: function defaultTarget(host, port) { L387: return { adminUrl: `http://${host}:${port}`, compatUrl: `http://${host}:${port - 1}` }; L388: } ... L457: ensureLegacyMigration(); L458: const hostOverride = strFlag(args.flags["host"]) ?? process.env["AGW_HOST"]; L459: const portOverride = strFlag(args.flags["port"]) ?? process.env["AGW_PORT"]; ... L470: flagTarget: strFlag(args.flags["target"]), L471: cwd: process.cwd(), L472: defaultHost: host,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/main.jsView on unpkg · L70

Findings

4 Medium5 Low
MediumSecret Patterndist/main.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License