registry  /  @koda-sl/baker-bridge  /  0.47.0

@koda-sl/baker-bridge@0.47.0

HTTP server wrapping the Claude Agent SDK. Persists chat events to Convex; the dashboard subscribes via Convex realtime

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked Hono bridge for Claude Agent SDK chat, Convex relay, attachments, and a bundled first-party reports plugin.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `baker-bridge hono` or imports `./hono`; no install-time trigger exists.
Impact
Expected runtime access to project content, ~/.baker session/error files, /tmp attachments, Convex APIs, optional MCP endpoints, and optional NotDiamond routing.
Mechanism
Authenticated HTTP bridge with agent SDK invocation, attachment download, runtime file helpers, and Convex relay.
Rationale
Static source inspection shows no lifecycle execution, exfiltration, stealth persistence, destructive behavior, or unconsented foreign AI-agent control-surface mutation. The risky primitives are runtime features aligned with the package purpose and activated by authenticated/user-invoked bridge operation.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/attachments.jsdist/hono/runtime-files.jsdist/hono/convex.jsdist/hono/mcp-servers.jsdist/hono/model-router.jsplugins/reports/.claude-plugin/plugin.jsonplugins/reports/skills/build/SKILL.md~/.baker/sessions/{threadId}.json~/.baker/relay-errors.jsonl/tmp/attachments/{timestamp}-{filename}src/lib/flow-engine/flows/{slug}/_data.jsonsrc/documents/{slug}.*COMPANY.mdsrc/brand/BRAND.mdsrc/content/**src/pages/{slug}/_definition.md
Network endpoints3
${BAKER_CONVEX_SITE_URL}/api/chat/*api.notdiamond.ai/v2/modelRouter/modelSelectuser-provided attachment URLs

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; bin only starts dist/cli.js on user command.
    • dist/cli.js only dispatches `baker-bridge hono` to create/start the Hono server.
    • dist/hono/attachments.js downloads user-supplied attachment URLs, validates image/PDF bytes, writes to runtime attachment storage, and runs local `pdftotext`.
    • dist/hono/bridge-job.js invokes the Claude Agent SDK for authenticated chat turns with package-owned plugins and explicit disallowed tools, not install-time mutation.
    • plugins/reports/.claude-plugin/plugin.json and plugins/reports/skills/build/SKILL.md are first-party report-building instructions, not hidden persistence or credential capture.
    • Network calls are package-aligned: Convex relay/MCP endpoints from env and optional NotDiamond model routing.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 50 file(s), 336 KB of source, external domains: api.example.com, api.notdiamond.ai, example.com, example.convex.site, hooks.zapier.com, mcp.example, media.example, same.url

    Source & flagged code

    2 flagged · loading source
    dist/hono/plugins.test.jsView file
    64it("keeps the vendored scaffold path contract in sync", async () => { L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href))); L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/hono/plugins.test.jsView on unpkg · L64
    dist/hono/attachments.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @koda-sl/baker-bridge@0.45.2 matchedIdentity = npm:QGtvZGEtc2wvYmFrZXItYnJpZGdl:0.45.2 similarity = 0.894 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/hono/attachments.jsView on unpkg

    Findings

    1 High3 Medium4 Low
    HighPrevious Version Dangerous Deltadist/hono/attachments.js
    MediumDynamic Requiredist/hono/plugins.test.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings