registry  /  @1presence/bridge  /  0.66.0

@1presence/bridge@0.66.0

Run 1Presence on your Mac and use your Claude.ai Pro subscription from any device

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked CLI bridge that connects local Claude Code to 1Presence services, with package-aligned network and local setup behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs npx @1presence/bridge or the 1presence-bridge bin.
Impact
Handles user chat/tool transcripts and bearer tokens for the intended bridge service; no evidence of covert exfiltration, install-time persistence, or foreign agent control mutation.
Mechanism
CLI bridge with auth, WebSocket relay, Claude Agent SDK MCP configuration, and runtime self-update check
Rationale
The suspicious primitives are consistent with the declared bridge CLI: runtime WebSocket/API calls, explicit local Claude Code invocation, token refresh, and constrained MCP setup. There is no install-time execution beyond tsc prepare, no broad AI-agent control-surface mutation, and no source evidence of credential harvesting or covert exfiltration.
Evidence
package.jsondist/index.jsdist/auth.jsdist/update.jsdist/claude.jsdist/claudeAuth.jsdist/outbox.jsdist/sessionPath.jsREADME.md~/.1presence/auth.json~/.1presence/outbox/*.json/tmp/agent-<uid>.md/tmp/mcp-<uid>.json/tmp/1presence-bridge/CLAUDE.md~/.claude/projects/<session>/*
Network endpoints4
api.1presence.comwss://api.1presence.com/bridgesecuretoken.googleapis.com/v1/tokenregistry.npmjs.org/@1presence/bridge/latest

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/update.js runtime check fetches npm latest and spawns npx for @1presence/bridge@latest.
  • dist/index.js writes per-user temp system prompt and MCP config containing a bearer token.
  • dist/claude.js creates a local MCP read_session_file tool, confined by dist/sessionPath.js.
Evidence against
  • package.json has no preinstall/install/postinstall; prepare is only tsc.
  • Network use is package-aligned bridge traffic to api.1presence.com, Firebase token refresh, and npm self-update check.
  • dist/claude.js disables built-in tools, uses strictMcpConfig, allowlists 1Presence/local MCP tools, and strips ANTHROPIC_API_KEY.
  • dist/auth.js browser auth uses localhost nonce and origin-scoped CORS; Firebase API key is commented as public web key.
  • dist/outbox.js spools only bridge turn records under ~/.1presence/outbox with mode 0600 for retry.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 135 KB of source, external domains: api.1presence.com, registry.npmjs.org, securetoken.googleapis.com

Source & flagged code

5 flagged · loading source
dist/auth.jsView file
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
High Secret

Package contains a high-severity secret pattern.

dist/auth.jsView on unpkg · L186
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
Secret Pattern

Google API key in dist/auth.js

dist/auth.jsView on unpkg · L186
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process'; L2: import { createInterface } from 'node:readline';
High
Child Process

Package source references child process execution.

dist/claudeAuth.jsView on unpkg · L1
dist/update.jsView file
18try { L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', { L20: signal: AbortSignal.timeout(3000), ... L28: console.log(`Updating to v${latest}…\n`); L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], { L30: stdio: 'inherit', L31: env: process.env, L32: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/update.jsView on unpkg · L18
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @1presence/bridge@0.65.0 matchedIdentity = npm:QDFwcmVzZW5jZS9icmlkZ2U:0.65.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

6 High2 Medium5 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighPrevious Version Dangerous Deltadist/index.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings