AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface; sensitive operations are runtime bridge behavior for an authenticated 1Presence/Claude local-mode CLI. The riskiest behavior is user-invoked remote prompt/MCP execution and self-update via npx, not install-time compromise.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs npx @1presence/bridge or the 1presence-bridge bin.
Impact
Routes user chat/tool activity through 1Presence gateway and local Claude Code; no unconsented install/import execution identified.
Mechanism
Authenticated local AI bridge with WebSocket gateway, Claude SDK calls, MCP tools, and npm self-update check.
Rationale
Static inspection shows a user-invoked bridge whose network, token handling, Claude subprocess/SDK usage, and file writes match the package purpose and are bounded by runtime authentication and tool restrictions. The scanner hits are real dual-use primitives but not evidence of malicious install-time execution or covert exfiltration.
Evidence
package.jsonREADME.mddist/index.jsdist/auth.jsdist/claude.jsdist/update.jsdist/outbox.jsdist/sessionPath.js/tmp/agent-${uid}.md/tmp/mcp-${uid}.json/tmp/1presence-bridge/CLAUDE.md~/.1presence/outbox/${conversationId}.json~/.1presence/auth.json
Network endpoints7
api.1presence.comwss://api.1presence.com/bridgeapi.1presence.com/system-prompt-for-bridgeapi.1presence.com/mcpapi.1presence.com/bridge/save-turnsecuretoken.googleapis.com/v1/tokenregistry.npmjs.org/@1presence/bridge/latest
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Runtime CLI fetches remote system prompts and MCP config from 1Presence gateway in dist/index.js.
- dist/update.js auto-checks npm registry and spawns npx for newer @1presence/bridge during CLI startup.
- dist/claude.js writes a temp CLAUDE.md guard and auto-allows 1Presence/local MCP tools for SDK-driven Claude turns.
Evidence against
- package.json prepare/prepack only run tsc; no install/postinstall hook executes package code.
- Network/auth behavior is disclosed and package-aligned in README.md as a local 1Presence bridge.
- dist/auth.js keeps auth in memory, deletes legacy ~/.1presence/auth.json, and uses nonce/CORS checks for localhost auth callback.
- dist/claude.js strips ANTHROPIC_API_KEY, disables built-in tools, uses strictMcpConfig, and confines local read_session_file to current Claude session path.
- No credential harvesting, persistence, destructive actions, dependency confusion, or reviewer/prompt-control file writes found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/auth.jsView file
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process';
L2: import { createInterface } from 'node:readline';
High
dist/update.jsView file
18try {
L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', {
L20: signal: AbortSignal.timeout(3000),
...
L28: console.log(`Updating to v${latest}…\n`);
L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], {
L30: stdio: 'inherit',
L31: env: process.env,
L32: });
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/update.jsView on unpkg · L18Findings
5 High2 Medium6 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License