registry  /  @ccpocket/bridge  /  1.63.6

@ccpocket/bridge@1.63.6

Bridge server that connects Claude Agent SDK and Codex CLI sessions to mobile devices via WebSocket

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 792 KB of source, external domains: chatgpt.com, console.anthropic.com, docs.anthropic.com, git-scm.com, github.com, identitytoolkit.googleapis.com, nodejs.org, securetoken.googleapis.com, tailscale.com, us-central1-ccpocket-ca33b.cloudfunctions.net, www.apple.com

Source & flagged code

4 flagged · loading source
dist/firebase-auth.jsView file
18patternName = google_api_key severity = high line = 18 matchedText = const FI...vc";
High
High Secret

Package contains a high-severity secret pattern.

dist/firebase-auth.jsView on unpkg · L18
18patternName = google_api_key severity = high line = 18 matchedText = const FI...vc";
High
Secret Pattern

Google API key in dist/firebase-auth.js

dist/firebase-auth.jsView on unpkg · L18
dist/setup-launchd.jsView file
1import { execSync } from "node:child_process"; L2: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from "node:fs"; ... L8: function getPlistPath() { L9: const dir = join(homedir(), "Library", "LaunchAgents"); L10: if (!existsSync(dir)) ... L17: try { L18: execSync(`launchctl stop "${PLIST_LABEL}"`, { stdio: "ignore" }); L19: } ... L30: export function setupLaunchd(opts) { L31: const port = parseBridgePort(opts.port ?? process.env.BRIDGE_PORT); L32: const host = opts.host ?? process.env.BRIDGE_HOST ?? "0.0.0.0";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup-launchd.jsView on unpkg · L1
dist/doctor.jsView file
288patternName = google_api_key severity = high line = 288 matchedText = const FI...vc";
High
Secret Pattern

Google API key in dist/doctor.js

dist/doctor.jsView on unpkg · L288

Findings

3 High3 Medium5 Low
HighHigh Secretdist/firebase-auth.js
HighSecret Patterndist/firebase-auth.js
HighSecret Patterndist/doctor.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup-launchd.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings