registry  /  @ccpocket/bridge  /  1.66.0

@ccpocket/bridge@1.66.0

Bridge server that connects Claude Agent SDK and Codex CLI sessions to mobile devices via WebSocket

AI Security Review

scanned 44s ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A user-run bridge server exposes local coding-agent, file, and Git capabilities over HTTP/WebSocket. Its default bind address is all interfaces and authentication is optional. Explicit setup can persist a user service that launches the package’s latest npm version.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `ccpocket-bridge` or explicitly invoke `ccpocket-bridge setup`.
Impact
An unauthenticated reachable bridge could let a network client invoke intended high-privilege bridge capabilities.
Mechanism
Remote WebSocket control of local agent and project operations.
Rationale
No malicious chain is confirmed: installation is inert and sensitive behavior is tied to the package’s stated, user-invoked bridge function. The insecure default network exposure and explicit persistence merit a warning.
Evidence
package.jsondist/index.jsdist/cli.jsdist/websocket.jsdist/firebase-auth.jsdist/push-relay.jsdist/setup-launchd.jsdist/setup-systemd.jsdist/path-utils.jsdist/codex-app-server-config.js~/.ccpocket/firebase-credentials.json~/Library/LaunchAgents/com.ccpocket.bridge.plist~/.config/systemd/user/ccpocket-bridge.service
Network endpoints3
identitytoolkit.googleapis.com/v1/accounts:signUp?key=${FIREBASE_API_KEY}securetoken.googleapis.com/v1/token?key=${FIREBASE_API_KEY}us-central1-ccpocket-ca33b.cloudfunctions.net/relay

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` starts a network bridge on `0.0.0.0` by default.
  • `dist/websocket.js` accepts clients without authentication unless `BRIDGE_API_KEY` is configured.
  • `dist/websocket.js` exposes agent sessions, file reads, Git actions, and permission/sandbox mode selection to WebSocket clients.
  • `dist/setup-launchd.js` and `dist/setup-systemd.js` create persistent user services only through explicit `ccpocket-bridge setup`.
  • `dist/setup-launchd.js` service command uses `npx --yes @ccpocket/bridge@latest`.
  • `dist/push-relay.js` sends registered-device push metadata to the configured Firebase relay.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/cli.js` gates service creation behind the explicit `setup` command.
  • No `eval`, VM, native loading, or hidden dynamic payload execution found.
  • Firebase calls implement documented anonymous-auth and push-relay behavior; no credential harvesting was found.
  • Persistent files are package-owned paths under `~/.ccpocket` or explicit OS service locations.
  • WebSocket API-key rejection is implemented when `BRIDGE_API_KEY` is supplied.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 810 KB of source, external domains: chatgpt.com, console.anthropic.com, docs.anthropic.com, git-scm.com, github.com, identitytoolkit.googleapis.com, nodejs.org, securetoken.googleapis.com, tailscale.com, us-central1-ccpocket-ca33b.cloudfunctions.net, www.apple.com

Source & flagged code

5 flagged · loading source
dist/firebase-auth.jsView file
18patternName = google_api_key severity = high line = 18 matchedText = const FI...vc";
High
High Secret

Package contains a high-severity secret pattern.

dist/firebase-auth.jsView on unpkg · L18
18patternName = google_api_key severity = high line = 18 matchedText = const FI...vc";
High
Secret Pattern

Google API key in dist/firebase-auth.js

dist/firebase-auth.jsView on unpkg · L18
dist/setup-launchd.jsView file
1import { execSync } from "node:child_process"; L2: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from "node:fs"; ... L8: function getPlistPath() { L9: const dir = join(homedir(), "Library", "LaunchAgents"); L10: if (!existsSync(dir)) ... L17: try { L18: execSync(`launchctl stop "${PLIST_LABEL}"`, { stdio: "ignore" }); L19: } ... L30: export function setupLaunchd(opts) { L31: const port = parseBridgePort(opts.port ?? process.env.BRIDGE_PORT); L32: const host = opts.host ?? process.env.BRIDGE_HOST ?? "0.0.0.0";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup-launchd.jsView on unpkg · L1
dist/websocket.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ccpocket/bridge@1.64.0 matchedIdentity = npm:QGNjcG9ja2V0L2JyaWRnZQ:1.64.0 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/websocket.jsView on unpkg
dist/doctor.jsView file
288patternName = google_api_key severity = high line = 288 matchedText = const FI...vc";
High
Secret Pattern

Google API key in dist/doctor.js

dist/doctor.jsView on unpkg · L288

Findings

4 High3 Medium5 Low
HighHigh Secretdist/firebase-auth.js
HighPrevious Version Dangerous Deltadist/websocket.js
HighSecret Patterndist/firebase-auth.js
HighSecret Patterndist/doctor.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup-launchd.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings