registry  /  llm-proxy-view  /  2.1.1

llm-proxy-view@2.1.1

LLM Proxy CLI - 代理转发和日志管理工具

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `claude-llm-proxy hook install` or enables/launches the remote-bridge channel.
Impact
User-authorized agent activity, request headers, and prompts may be routed through configured local/upstream/remote-bridge services.
Mechanism
Explicit AI-agent hook/MCP configuration plus local proxy and Claude subprocess integration.
Rationale
Source inspection shows explicit user-command AI-agent configuration and proxy capability, not install-time or covert malicious behavior. Flag as warn for dangerous capability rather than block.
Evidence
package.jsonbin/cli.jsbin/channel.jsdist/lib/claude-settings.jsdist/cli/commands/hook.jsdist/remote/mcp-config.jsdist/remote/cli-runner.jsdist/core/proxy.jsapp/macos-status-bar/bin/StatusBarApp~/.claude/settings.json.mcp.json~/.claude-proxy/config.json
Network endpoints1
localhost:<port>/api/hooks/<event>

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/claude-settings.js` writes managed HTTP hooks into `~/.claude/settings.json`.
  • `dist/cli/commands/hook.js` exposes that mutation only through explicit `hook install`/`uninstall` commands.
  • `dist/remote/mcp-config.js` writes a project `.mcp.json` entry that runs this package's channel binary.
  • `dist/remote/cli-runner.js` spawns the configured `claude` command for the optional remote-bridge feature.
  • `dist/core/proxy.js` forwards configured authorization/API-key headers and records proxy traffic locally.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • `bin/cli.js` and `bin/channel.js` only load CLI/channel entry modules when invoked.
  • Hook URLs are explicit `http://localhost:<port>/api/hooks/<event>` endpoints.
  • No `eval`, `vm`, remote payload loader, credential harvesting path, or hard-coded exfiltration host was found.
  • The shipped macOS binary is an arm64 status-bar executable linked to standard macOS frameworks; static strings show localhost proxy use.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 674 KB of source, external domains: 127.0.0.1, api.openai.com, oapi.dingtalk.com, open.feishu.cn, reactjs.org, www.w3.org, your-tunnel.example.com

Source & flagged code

1 flagged · loading source
app/macos-status-bar/bin/StatusBarAppView file
path = app/macos-status-bar/bin/StatusBarApp kind = native_binary sizeBytes = 163136 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

app/macos-status-bar/bin/StatusBarAppView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryapp/macos-status-bar/bin/StatusBarApp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
llm-proxy-view@2.1.1: Suspicious npm security report (Warn) | LPM Firewall