registry  /  @koda-sl/baker-bridge  /  0.51.2

@koda-sl/baker-bridge@0.51.2

HTTP server wrapping the Claude Agent SDK. Persists chat events to Convex; the dashboard subscribes via Convex realtime

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Running the bridge starts an agent-backed HTTP service. On an aborted agent session, it automatically executes a fixed-named hook found inside the active project directory.

Static reason
No blocking static signals were detected.
Trigger
User runs `baker-bridge hono` and an agent session is aborted.
Impact
A writable or untrusted project can supply code that executes in the bridge process context during abort recovery.
Mechanism
Project-local hook execution via `execFile("node", [hookScript])`.
Rationale
No concrete malicious package behavior was found, but automatic execution of mutable project-local code is a material dual-use runtime risk. Downgrade to warn rather than block because it is not install-time and appears aligned with publish-recovery functionality.
Evidence
package.jsondist/cli.jsdist/hono/publish-recovery.jsdist/hono/agent.jsdist/hono/runtime-files.jsdist/hono/model-router.js__tooling__/hooks/base/recover-stalled-publish.mjs.baker/sessions/<threadId>.json.baker/relay-errors.jsonl.claude/memory
Network endpoints1
api.notdiamond.ai/v2/modelRouter/modelSelect

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/hono/publish-recovery.js` runs a project-local `__tooling__/hooks/base/recover-stalled-publish.mjs` with Node after aborted agent sessions.
  • The hook path is resolved from the mutable current working directory, creating a runtime project-hook execution surface.
  • `dist/hono/agent.js` starts Claude Agent SDK queries with project settings and inherited environment variables.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/cli.js` only starts the HTTP server after explicit `baker-bridge hono` invocation.
  • No `eval`, `Function`, shell command string, remote payload download, credential-harvesting loop, or install-time filesystem mutation was found.
  • Outbound requests are configured Convex API calls and an opt-in NotDiamond model-routing request; no covert hard-coded exfiltration endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 371 KB of source, external domains: api.example.com, api.notdiamond.ai, example.com, example.convex.site, hooks.zapier.com, mcp.example, media.example, same.url

Source & flagged code

1 flagged · loading source
dist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => { L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href))); L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hono/plugins.test.jsView on unpkg · L64

Findings

3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings