Aegis Bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
Aegis Bridge is coherent for local Claude Code orchestration, but its templates encourage auto-approving permissions and bash actions for spawned coding agents, so it should be reviewed before use.
Use this only if you trust the local Aegis server and the npx package it configures. Before using automated workflows, disable blanket auto-approval for bash and permission prompts, constrain sessions to trusted repositories, review diffs/transcripts before accepting changes, and clear or scope persistent memory carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A spawned coding agent could run shell commands, trust folders, or use tools automatically, potentially changing files or repository state before you inspect the action.
The provided heartbeat loop automatically approves both normal permission prompts and bash approvals while driving a session, which can let a spawned coding agent run tools or shell commands without per-command human review.
permission_prompt|bash_approval) ... echo "Approving permission prompt." ... POST http://127.0.0.1:9100/v1/sessions/$SID/approve ... | Permission handling | Auto-approve |
Change the default loop to log and pause for human approval for bash, trust-folder, and tool-use prompts; only auto-approve in trusted sandboxes with constrained work directories and reviewed prompts.
If the package name or a future version is compromised, Claude Code could launch unreviewed MCP server code when the configured server starts.
The setup script persists an MCP server command that runs an unpinned npx package. This is disclosed and aligned with MCP setup, but it depends on the current external package resolution rather than a pinned, verified version.
claude mcp add --scope user aegis -- npx aegis-bridge mcp --port "$PORT"
Pin the package version, install from a trusted source, prefer project-scoped configuration when possible, and review the resulting Claude Code MCP config.
Stale, incorrect, or untrusted memory entries could influence future coding agents, and sensitive project details could persist longer than intended.
The references explicitly describe persistent and shared memory that can be injected into future session prompts.
Persist useful context between sessions using memory keys: project/<topic> ... session:<id>/<topic> ... team/<topic> ... Inject memory into prompts via memoryKeys
Store only trusted, non-sensitive context; prefer session-scoped keys or TTLs; review and delete stale project/team memory before using it in new agent runs.