registry  /  @koda-sl/baker-bridge  /  0.51.3

@koda-sl/baker-bridge@0.51.3

HTTP server wrapping the Claude Agent SDK. Persists chat events to Convex; the dashboard subscribes via Convex realtime

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicitly started HTTP bridge launches a Claude Agent SDK session against the current project and automatically loads a bundled reports plugin. That plugin can direct agent-driven creation of report files in the project workspace; no install-time behavior is present.

Static reason
No blocking static signals were detected.
Trigger
User runs `baker-bridge hono` and submits an authenticated agent message or command.
Impact
Authorized runtime use can cause AI-agent actions and report-file writes in the current project.
Mechanism
Runtime Claude Agent SDK bridge with a bundled local workspace-writing plugin.
Rationale
The package is not malicious by source evidence, but it automatically loads a first-party agent plugin that can guide workspace writes during its normal runtime. Per policy, this package-owned agent extension setup warrants a non-blocking warning rather than a clean verdict.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/plugins.jsplugins/reports/skills/build/SKILL.mdplugins/reports/skills/build/scripts/scaffold-report.mjs
Network endpoints1
api.notdiamond.ai/v2/modelRouter/modelSelect

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/hono/plugins.js` automatically supplies bundled `plugins/reports` to the Claude Agent SDK.
  • `plugins/reports/skills/build/SKILL.md` instructs the agent to run a bundled scaffold script in the current workspace.
  • `plugins/reports/skills/build/scripts/scaffold-report.mjs` creates report endpoint, HTML, and definition files.
  • `dist/hono/bridge-job.js` and `dist/hono/agent.js` invoke the Claude Agent SDK with project settings and bundled plugins.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/cli.js` starts behavior only after the explicit `baker-bridge hono` command.
  • `dist/hono/server.js` protects message and mutation routes with a bearer token.
  • No source evidence of credential harvesting, hidden exfiltration, destructive commands, eval/vm use, or foreign agent-config writes.
  • `dist/hono/plugins.js` references only a package-bundled local plugin path.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 375 KB of source, external domains: api.example.com, api.notdiamond.ai, example.com, example.convex.site, hooks.zapier.com, mcp.example, media.example, same.url

Source & flagged code

1 flagged · loading source
dist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => { L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href))); L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hono/plugins.test.jsView on unpkg · L64

Findings

3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings