AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a user-invoked bridge that authenticates with 1Presence, connects to its gateway, and drives local Claude/Claude Agent SDK workflows.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the 1presence-bridge CLI
Impact
User-authorized local bridge operation; possible self-update execution is disclosed by console but not lifecycle-triggered malware.
Mechanism
localhost auth, WebSocket bridge, Claude SDK/CLI orchestration, runtime npm update check
Rationale
Static inspection found risky primitives, but they are package-aligned for a CLI bridge and local Claude integration, with no unconsented install/import execution or exfiltration. The temp CLAUDE.md guard is an AI-agent control-surface write, but it is runtime-scoped to the bridge temp cwd and explicitly limits outside prompt influence rather than hijacking user agents.
Evidence
package.jsondist/index.jsdist/auth.jsdist/claudeAuth.jsdist/claude.jsdist/update.jsdist/outbox.jsdist/sessionPath.js~/.1presence/auth.json/tmp/1presence-bridge/CLAUDE.md/tmp/1presence-bridge/1presence-session-*.jsonl/tmp/1presence-bridge/1presence-outbox.jsonl
Network endpoints5
securetoken.googleapis.com/v1/tokenregistry.npmjs.org/@1presence/bridge/latestwss://api.1presence.appapp.1presence.appapi.1presence.app/mcp
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/update.js auto-checks npm registry and spawns npx to run a newer @1presence/bridge version at runtime.
- dist/claude.js writes a CLAUDE.md guard into os.tmpdir()/1presence-bridge on module load, modifying an AI agent control file.
- dist/claudeAuth.js invokes local claude CLI auth status/login when user runs bridge.
Evidence against
- package.json lifecycle hooks are only tsc build steps; no install/postinstall hook executes shipped code.
- dist/auth.js runs an explicit localhost browser sign-in flow with nonce/CORS and uses a public Firebase web API key for token refresh.
- Network endpoints are aligned with bridge functionality: 1Presence gateway/PWA, Firebase token refresh, npm update check, and remote MCP URL.
- dist/claude.js sets a dedicated temp working directory and passes settingSources: [] for Claude SDK rather than altering user/project settings.
- No credential harvesting loop, broad filesystem scan, persistence, destructive action, or import-time exfiltration found in inspected files.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/auth.jsView file
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process';
L2: import { createInterface } from 'node:readline';
High
dist/update.jsView file
18try {
L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', {
L20: signal: AbortSignal.timeout(3000),
...
L28: console.log(`Updating to v${latest}…\n`);
L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], {
L30: stdio: 'inherit',
L31: env: process.env,
L32: });
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/update.jsView on unpkg · L18Findings
5 High2 Medium5 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings