AI Security Review
scanned 2h ago · by lpm-firewall-aiRunning the bridge starts an agent-backed HTTP service. On an aborted agent session, it automatically executes a fixed-named hook found inside the active project directory.
Static reason
No blocking static signals were detected.
Trigger
User runs `baker-bridge hono` and an agent session is aborted.
Impact
A writable or untrusted project can supply code that executes in the bridge process context during abort recovery.
Mechanism
Project-local hook execution via `execFile("node", [hookScript])`.
Rationale
No concrete malicious package behavior was found, but automatic execution of mutable project-local code is a material dual-use runtime risk. Downgrade to warn rather than block because it is not install-time and appears aligned with publish-recovery functionality.
Evidence
package.jsondist/cli.jsdist/hono/publish-recovery.jsdist/hono/agent.jsdist/hono/runtime-files.jsdist/hono/model-router.js__tooling__/hooks/base/recover-stalled-publish.mjs.baker/sessions/<threadId>.json.baker/relay-errors.jsonl.claude/memory
Network endpoints1
api.notdiamond.ai/v2/modelRouter/modelSelect
Decision evidence
public snapshotAI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/hono/publish-recovery.js` runs a project-local `__tooling__/hooks/base/recover-stalled-publish.mjs` with Node after aborted agent sessions.
- The hook path is resolved from the mutable current working directory, creating a runtime project-hook execution surface.
- `dist/hono/agent.js` starts Claude Agent SDK queries with project settings and inherited environment variables.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `dist/cli.js` only starts the HTTP server after explicit `baker-bridge hono` invocation.
- No `eval`, `Function`, shell command string, remote payload download, credential-harvesting loop, or install-time filesystem mutation was found.
- Outbound requests are configured Convex API calls and an opt-in NotDiamond model-routing request; no covert hard-coded exfiltration endpoint was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => {
L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href)));
L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/hono/plugins.test.jsView on unpkg · L64Findings
3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings