AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked Hono bridge for Claude Agent SDK chat, Convex relay, attachments, and a bundled first-party reports plugin.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `baker-bridge hono` or imports `./hono`; no install-time trigger exists.
Impact
Expected runtime access to project content, ~/.baker session/error files, /tmp attachments, Convex APIs, optional MCP endpoints, and optional NotDiamond routing.
Mechanism
Authenticated HTTP bridge with agent SDK invocation, attachment download, runtime file helpers, and Convex relay.
Rationale
Static source inspection shows no lifecycle execution, exfiltration, stealth persistence, destructive behavior, or unconsented foreign AI-agent control-surface mutation. The risky primitives are runtime features aligned with the package purpose and activated by authenticated/user-invoked bridge operation.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/attachments.jsdist/hono/runtime-files.jsdist/hono/convex.jsdist/hono/mcp-servers.jsdist/hono/model-router.jsplugins/reports/.claude-plugin/plugin.jsonplugins/reports/skills/build/SKILL.md~/.baker/sessions/{threadId}.json~/.baker/relay-errors.jsonl/tmp/attachments/{timestamp}-{filename}src/lib/flow-engine/flows/{slug}/_data.jsonsrc/documents/{slug}.*COMPANY.mdsrc/brand/BRAND.mdsrc/content/**src/pages/{slug}/_definition.md
Network endpoints3
${BAKER_CONVEX_SITE_URL}/api/chat/*api.notdiamond.ai/v2/modelRouter/modelSelectuser-provided attachment URLs
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; bin only starts dist/cli.js on user command.
- dist/cli.js only dispatches `baker-bridge hono` to create/start the Hono server.
- dist/hono/attachments.js downloads user-supplied attachment URLs, validates image/PDF bytes, writes to runtime attachment storage, and runs local `pdftotext`.
- dist/hono/bridge-job.js invokes the Claude Agent SDK for authenticated chat turns with package-owned plugins and explicit disallowed tools, not install-time mutation.
- plugins/reports/.claude-plugin/plugin.json and plugins/reports/skills/build/SKILL.md are first-party report-building instructions, not hidden persistence or credential capture.
- Network calls are package-aligned: Convex relay/MCP endpoints from env and optional NotDiamond model routing.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => {
L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href)));
L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/hono/plugins.test.jsView on unpkg · L64dist/hono/attachments.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @koda-sl/baker-bridge@0.45.2
matchedIdentity = npm:QGtvZGEtc2wvYmFrZXItYnJpZGdl:0.45.2
similarity = 0.894
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/hono/attachments.jsView on unpkgFindings
1 High3 Medium4 Low
HighPrevious Version Dangerous Deltadist/hono/attachments.js
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings