AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked local HTTP bridge that runs Claude Agent SDK sessions, persists chat state to a configured Convex backend, and bundles a first-party reports plugin.
Static reason
No blocking static signals were detected.
Trigger
Explicit CLI/programmatic start: `baker-bridge hono` or createServer().start()
Impact
Expected agent bridge capabilities: project file access through the SDK, local session/memory files, attachment downloads, and chat relay posts.
Mechanism
local Hono bridge to Claude Agent SDK with env-configured Convex relay and package-owned plugin
Rationale
Source inspection shows a documented, explicit-run bridge with broad but package-aligned AI-agent/server behavior and no install-time mutation or covert exfiltration. Suspicious primitives such as fetch, env vars, child_process git/hook recovery, and .claude memory are tied to the advertised sandbox bridge workflow.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/convex.jsdist/hono/runtime-files.jsdist/hono/sandbox-content.jsdist/hono/attachments.jsdist/hono/model-router.jsdist/hono/plugins.jsplugins/reports/.claude-plugin/plugin.json~/.baker/sessions/*.json~/.baker/relay-errors.jsonl/tmp/attachments/*<project>/.claude/memory/*<project>/src/lib/flow-engine/flows/*/_data.json<project>/COMPANY.md<project>/src/brand/BRAND.md<project>/src/content/**<project>/src/documents/**<project>/__tooling__/hooks/base/recover-stalled-publish.mjs
Network endpoints5
${BAKER_CONVEX_SITE_URL}/api/chat/stream${BAKER_CONVEX_SITE_URL}/api/chat/event${BAKER_CONVEX_SITE_URL}/api/chat/complete${BAKER_CONVEX_SITE_URL}/api/chats/memoryapi.notdiamond.ai/v2/modelRouter/modelSelect
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- User-invoked server can run Claude Agent SDK with project settings and bundled local plugin via dist/hono/bridge-job.js and dist/hono/plugins.js.
- Runtime writes local state/attachments under ~/.baker, /tmp/attachments, and project .claude/memory via dist/hono/runtime-files.js.
- Runtime posts chat events/memory to env-controlled BAKER_CONVEX_SITE_URL and optional NotDiamond router URL.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/cli.js only starts the Hono server for explicit `baker-bridge hono`; no import-time execution beyond definitions.
- Plugin files under plugins/reports are package-owned Claude plugin metadata/skill, not an install-time mutation of a foreign agent config.
- Network endpoints are documented and env/user configured except optional NotDiamond model routing.
- File reads/writes are bounded to the project sandbox, ~/.baker state, and /tmp attachments for documented bridge behavior.
- No credential harvesting, stealth persistence, destructive payload, native binary loading, or remote code download found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => {
L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href)));
L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/hono/plugins.test.jsView on unpkg · L64Findings
3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings