registry  /  @1presence/bridge  /  0.65.0

@1presence/bridge@0.65.0

Run 1Presence on your Mac and use your Claude.ai Pro subscription from any device

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked bridge that connects a 1Presence account to local Claude Code and package-aligned MCP tools, with bounded local temp/outbox files.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the 1presence-bridge CLI via npx/npm bin
Impact
Relays user prompts, tool events, and saved turn records between local Claude Code and 1Presence; no unconsented install-time control-surface mutation observed.
Mechanism
package-aligned local bridge with WebSocket, MCP config, and Claude Agent SDK orchestration
Rationale
The suspicious primitives are aligned with the documented bridge function and activate on explicit CLI use, not npm installation. Although the package creates agent-facing temporary files and exposes remote MCP tools, controls are scoped to its own temp cwd/session and no lifecycle hijack, credential exfiltration, persistence, or destructive behavior was found.
Evidence
package.jsondist/index.jsdist/claude.jsdist/auth.jsdist/update.jsdist/outbox.jsdist/sessionPath.jsdist/claudeAuth.js/tmp/agent-${uid}.md/tmp/mcp-${uid}.json/tmp/1presence-bridge/CLAUDE.md~/.1presence/outbox/${conversationId}.json~/.1presence/auth.json
Network endpoints7
api.1presence.comwss://api.1presence.com/bridgeapi.1presence.com/system-prompt-for-bridgeapi.1presence.com/mcpapi.1presence.com/bridge/save-turnregistry.npmjs.org/@1presence/bridge/latestsecuretoken.googleapis.com/v1/token

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI writes a CLAUDE.md guard under /tmp/1presence-bridge and per-user prompt/MCP JSON under /tmp.
  • Runtime connects to api.1presence.com, fetches system prompts, registers an SSE MCP server, and streams turns through local Claude Code.
  • Runtime auto-update check can spawn npx @1presence/bridge@latest before normal startup.
  • Bridge stores pending turn transcripts under ~/.1presence/outbox for retry.
Evidence against
  • package.json has no install/postinstall hook; prepare/prepack are only tsc build commands.
  • No lifecycle-triggered writes to foreign AI-agent config, home Claude settings, .mcp.json, shell startup files, or project control surfaces found.
  • Claude SDK options use strictMcpConfig, settingSources: [], tools: [], permissionMode: default, and allowed MCP names only.
  • Local read_session_file tool is read-only and confined to ~/.claude/projects paths containing the current session id.
  • Auth flow keeps tokens in memory and deletes legacy ~/.1presence/auth.json on import; public Firebase web API key is used only for token refresh.
  • ANTHROPIC_API_KEY is stripped from child environment before Claude SDK queries.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 133 KB of source, external domains: api.1presence.com, registry.npmjs.org, securetoken.googleapis.com

Source & flagged code

4 flagged · loading source
dist/auth.jsView file
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
High Secret

Package contains a high-severity secret pattern.

dist/auth.jsView on unpkg · L186
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
Secret Pattern

Google API key in dist/auth.js

dist/auth.jsView on unpkg · L186
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process'; L2: import { createInterface } from 'node:readline';
High
Child Process

Package source references child process execution.

dist/claudeAuth.jsView on unpkg · L1
dist/update.jsView file
18try { L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', { L20: signal: AbortSignal.timeout(3000), ... L28: console.log(`Updating to v${latest}…\n`); L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], { L30: stdio: 'inherit', L31: env: process.env, L32: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/update.jsView on unpkg · L18

Findings

5 High2 Medium5 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings