registry  /  @creatornader/agent-bridge  /  0.3.0

@creatornader/agent-bridge@0.3.0

Durable, pull-first mailbox and work-delivery control plane for AI agents across runtimes, sessions, and machines.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is present. An explicit CLI command can register this package as an MCP server and write its per-client backend configuration.

Static reason
No blocking static signals were detected.
Trigger
User runs `agent-bridge clients install <codex|claude-code|claude-desktop> --identity <name>`.
Impact
Adds an `agent-bridge` MCP integration to the selected agent runtime; subsequent runtime requests use a user-configured gateway token.
Mechanism
Explicit first-party AI-agent MCP registration and private client-config creation.
Rationale
Source inspection found no concrete malicious installation, exfiltration, or remote-payload chain. Flag as a warning because it intentionally performs explicit first-party agent-extension setup.
Evidence
package.jsonbin/agent-bridgedist/cli.jsdist/chunk-CEXBMOI5.jsclients/claude-desktop.jsonclients/codex.jsonclients/claude-code.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` exposes explicit `clients install` for Codex, Claude Code, and Claude Desktop.
  • `dist/cli.js` writes private per-client config and registers an `agent-bridge` MCP server via native CLIs or Claude Desktop JSON.
  • The install path invokes `codex`/`claude` with fixed MCP registration arguments and can modify Claude Desktop's MCP config.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/agent-bridge` only runs its CLI after an explicit user command.
  • `dist/chunk-CEXBMOI5.js` sends authenticated requests only to the caller-configured gateway and requires HTTPS except loopback.
  • No hard-coded exfiltration endpoint, credential harvesting, dynamic payload loading, or eval-based remote execution was confirmed.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 689 KB of source, external domains: agent-bridge.dev, gateway.invalid, json-schema.org

Source & flagged code

1 flagged · loading source
dist/chunk-MBPZXTJA.jsView file
14import { L15: preparePrivateFileLocation, L16: preparePrivateSqliteLocation, ... L38: import { dirname, resolve } from "path"; L39: var MAGIC = Buffer.from("AGENT-BRIDGE-DR!", "ascii"); L40: var HEADER_BYTES = MAGIC.length + 2 + 4; ... L410: // src/postgres-native-dr.ts L411: import { spawn } from "child_process"; L412: import { createHash as createHash2, randomUUID } from "crypto"; ... L933: function resolvePostgresTool(tool, toolDirectory) { L934: const executable = process.platform === "win32" ? `${tool}.exe` : tool; L935: const candidates = toolDirectory ? [resolve2(toolDirectory, executable)] : (process.env.PATH ?? "").split(delimiter).filter(Boolean).map((directory) => resolve2(directory, executab...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-MBPZXTJA.jsView on unpkg · L14

Findings

2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/chunk-MBPZXTJA.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings