registry  /  @1presence/bridge  /  0.67.0

@1presence/bridge@0.67.0

Run 1Presence on your Mac and use your Claude.ai Pro subscription from any device

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-run bridge CLI that connects to 1Presence, drives local Claude Code, and stores transient local setup/spool files with restricted permissions.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs 1presence-bridge / npx @1presence/bridge
Impact
User conversations and tool outputs are relayed to the authenticated 1Presence service as described by the package purpose.
Mechanism
local Claude Code bridge with WebSocket gateway, MCP config, and turn spooling
Rationale
The suspicious primitives are aligned with a user-invoked local bridge for 1Presence and Claude Code, with no install-time hooks or unconsented global agent-control mutation. The auto-update npx path and local MCP file reader are notable risk areas, but source inspection shows package-scoped update behavior and session-confined reads rather than a concrete malicious chain.
Evidence
package.jsondist/index.jsdist/auth.jsdist/claude.jsdist/claudeAuth.jsdist/update.jsdist/outbox.jsdist/sessionPath.jsREADME.md/tmp/agent-${uid}.md/tmp/mcp-${uid}.json/tmp/1presence-bridge/CLAUDE.md~/.1presence/outbox/${conversationId}.json~/.1presence/auth.json
Network endpoints4
api.1presence.comwss://api.1presence.com/bridgesecuretoken.googleapis.com/v1/token?key=<firebase-api-key>registry.npmjs.org/@1presence/bridge/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/update.js checks npm registry on CLI startup and spawns npx for newer @1presence/bridge.
  • dist/index.js writes token-bearing MCP config and fetched system prompt to /tmp with 0600 permissions.
  • dist/claude.js creates a local MCP read_session_file tool, but confines reads to current Claude session path.
Evidence against
  • package.json has no preinstall/install/postinstall; prepare/prepack only run tsc.
  • dist/auth.js browser auth uses localhost nonce/CORS and keeps tokens in memory; legacy ~/.1presence/auth.json is removed.
  • dist/claude.js disables built-in tools, uses strict MCP config, and allowlists only 1Presence/local MCP tools.
  • Network endpoints are package-aligned: 1Presence gateway, Firebase token refresh, npm registry update check.
  • Child process usage is explicit CLI functionality: opens browser, probes/logs into claude, and invokes Claude Agent SDK.
  • No credential harvesting, broad filesystem traversal, persistence, destructive behavior, or install-time AI-agent mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 135 KB of source, external domains: api.1presence.com, registry.npmjs.org, securetoken.googleapis.com

Source & flagged code

4 flagged · loading source
dist/auth.jsView file
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
High Secret

Package contains a high-severity secret pattern.

dist/auth.jsView on unpkg · L186
186patternName = google_api_key severity = high line = 186 matchedText = const FI...i8';
High
Secret Pattern

Google API key in dist/auth.js

dist/auth.jsView on unpkg · L186
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process'; L2: import { createInterface } from 'node:readline';
High
Child Process

Package source references child process execution.

dist/claudeAuth.jsView on unpkg · L1
dist/update.jsView file
18try { L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', { L20: signal: AbortSignal.timeout(3000), ... L28: console.log(`Updating to v${latest}…\n`); L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], { L30: stdio: 'inherit', L31: env: process.env, L32: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/update.jsView on unpkg · L18

Findings

5 High2 Medium5 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings