AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An explicitly started HTTP bridge launches a Claude Agent SDK session against the current project and automatically loads a bundled reports plugin. That plugin can direct agent-driven creation of report files in the project workspace; no install-time behavior is present.
Static reason
No blocking static signals were detected.
Trigger
User runs `baker-bridge hono` and submits an authenticated agent message or command.
Impact
Authorized runtime use can cause AI-agent actions and report-file writes in the current project.
Mechanism
Runtime Claude Agent SDK bridge with a bundled local workspace-writing plugin.
Rationale
The package is not malicious by source evidence, but it automatically loads a first-party agent plugin that can guide workspace writes during its normal runtime. Per policy, this package-owned agent extension setup warrants a non-blocking warning rather than a clean verdict.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/plugins.jsplugins/reports/skills/build/SKILL.mdplugins/reports/skills/build/scripts/scaffold-report.mjs
Network endpoints1
api.notdiamond.ai/v2/modelRouter/modelSelect
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/hono/plugins.js` automatically supplies bundled `plugins/reports` to the Claude Agent SDK.
- `plugins/reports/skills/build/SKILL.md` instructs the agent to run a bundled scaffold script in the current workspace.
- `plugins/reports/skills/build/scripts/scaffold-report.mjs` creates report endpoint, HTML, and definition files.
- `dist/hono/bridge-job.js` and `dist/hono/agent.js` invoke the Claude Agent SDK with project settings and bundled plugins.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `dist/cli.js` starts behavior only after the explicit `baker-bridge hono` command.
- `dist/hono/server.js` protects message and mutation routes with a bearer token.
- No source evidence of credential harvesting, hidden exfiltration, destructive commands, eval/vm use, or foreign agent-config writes.
- `dist/hono/plugins.js` references only a package-bundled local plugin path.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => {
L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href)));
L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/hono/plugins.test.jsView on unpkg · L64Findings
3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings