AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is present. An explicit CLI command can register this package as an MCP server and write its per-client backend configuration.
Static reason
No blocking static signals were detected.
Trigger
User runs `agent-bridge clients install <codex|claude-code|claude-desktop> --identity <name>`.
Impact
Adds an `agent-bridge` MCP integration to the selected agent runtime; subsequent runtime requests use a user-configured gateway token.
Mechanism
Explicit first-party AI-agent MCP registration and private client-config creation.
Rationale
Source inspection found no concrete malicious installation, exfiltration, or remote-payload chain. Flag as a warning because it intentionally performs explicit first-party agent-extension setup.
Evidence
package.jsonbin/agent-bridgedist/cli.jsdist/chunk-CEXBMOI5.jsclients/claude-desktop.jsonclients/codex.jsonclients/claude-code.json
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` exposes explicit `clients install` for Codex, Claude Code, and Claude Desktop.
- `dist/cli.js` writes private per-client config and registers an `agent-bridge` MCP server via native CLIs or Claude Desktop JSON.
- The install path invokes `codex`/`claude` with fixed MCP registration arguments and can modify Claude Desktop's MCP config.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `bin/agent-bridge` only runs its CLI after an explicit user command.
- `dist/chunk-CEXBMOI5.js` sends authenticated requests only to the caller-configured gateway and requires HTTPS except loopback.
- No hard-coded exfiltration endpoint, credential harvesting, dynamic payload loading, or eval-based remote execution was confirmed.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/chunk-MBPZXTJA.jsView file
14import {
L15: preparePrivateFileLocation,
L16: preparePrivateSqliteLocation,
...
L38: import { dirname, resolve } from "path";
L39: var MAGIC = Buffer.from("AGENT-BRIDGE-DR!", "ascii");
L40: var HEADER_BYTES = MAGIC.length + 2 + 4;
...
L410: // src/postgres-native-dr.ts
L411: import { spawn } from "child_process";
L412: import { createHash as createHash2, randomUUID } from "crypto";
...
L933: function resolvePostgresTool(tool, toolDirectory) {
L934: const executable = process.platform === "win32" ? `${tool}.exe` : tool;
L935: const candidates = toolDirectory ? [resolve2(toolDirectory, executable)] : (process.env.PATH ?? "").split(delimiter).filter(Boolean).map((directory) => resolve2(directory, executab...
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/chunk-MBPZXTJA.jsView on unpkg · L14Findings
2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/chunk-MBPZXTJA.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings