AI Security Review
scanned 2h ago · by lpm-firewall-aiUser-run bridge connects to 1Presence and invokes the local Claude runtime for relayed conversations. The observed network, subprocess, and temporary-file use implement the documented bridge behavior; no confirmed malicious attack chain is established.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `1presence-bridge` or `npx @1presence/bridge`.
Impact
Can process user-authorized 1Presence conversations and connector tools through the local Claude subscription.
Mechanism
Authenticated 1Presence relay to a constrained Claude/MCP runtime.
Rationale
Static inspection shows a documented, user-invoked remote-agent bridge with expected network and Claude subprocess behavior. Its lifecycle hook only compiles TypeScript, and source-level guards constrain local access and tool execution; no concrete malicious behavior was found.
Evidence
package.jsondist/index.jsdist/auth.jsdist/claude.jsdist/claudeAuth.jsdist/update.jsdist/sessionPath.jsdist/outbox.jsdist/accumulator.jsREADME.md
Network endpoints3
api.1presence.comregistry.npmjs.org/@1presence/bridge/latestsecuretoken.googleapis.com/v1/token
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime CLI opens an authenticated WebSocket to the 1Presence gateway and relays messages to Claude.
- `dist/update.js` can invoke `npx` only after its runtime update check finds a newer package.
- `dist/index.js` downloads gateway-requested document content for an explicit vision-reconstruction feature.
Evidence against
- `package.json` has only `prepare: tsc`; no preinstall/install/postinstall hook.
- Entry point is a user-invoked CLI/bin, not import-time background execution.
- Auth tokens are kept in memory; `dist/auth.js` removes the legacy persisted auth file.
- MCP configuration and system prompt are written as mode `0600` temporary files.
- Claude runtime disables built-in tools and permits only 1Presence MCP plus a session-confined read-only local tool.
- No credential harvesting, arbitrary local-file reads, destructive behavior, or covert exfiltration was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/auth.jsView file
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
186patternName = google_api_key
severity = high
line = 186
matchedText = const FI...i8';
High
dist/claudeAuth.jsView file
1import { spawn } from 'node:child_process';
L2: import { createInterface } from 'node:readline';
High
dist/update.jsView file
18try {
L19: const res = await fetch('https://registry.npmjs.org/@1presence/bridge/latest', {
L20: signal: AbortSignal.timeout(3000),
...
L28: console.log(`Updating to v${latest}…\n`);
L29: const child = spawn('npx', ['--yes', `@1presence/bridge@${latest}`], {
L30: stdio: 'inherit',
L31: env: process.env,
L32: });
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/update.jsView on unpkg · L18Findings
5 High2 Medium5 Low
HighHigh Secretdist/auth.js
HighChild Processdist/claudeAuth.js
HighShell
HighSame File Env Network Executiondist/update.js
HighSecret Patterndist/auth.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings