registry  /  @threadbase-sh/streamer  /  1.27.2

@threadbase-sh/streamer@1.27.2

PTY session management, WebSocket streaming, and REST API server for Claude Code conversations

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit execution of `dist/seed-claude-config.cjs` with `CLAUDE_CONFIG` set; separate user API calls start agent sessions.
Impact
The direct helper can reduce Claude trust prompts for its fixed first-party project path; no unconsented install-time broad control-surface mutation was found.
Mechanism
Explicit Claude config seeding and user-requested Codex/Claude PTY spawning
Rationale
The scanner's malicious lifecycle signal is unsupported by the manifest, but the explicit Claude configuration mutation is a real agent-control capability. Because it is direct-only and first-party-path-scoped rather than unconsented install-time behavior, warn rather than block.
Evidence
package.jsondist/seed-claude-config.cjsdist/index.cjsdist/cli.cjsdist/launchd-entry.cjs
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/seed-claude-config.cjs` writes trust/onboarding fields to the `CLAUDE_CONFIG` path.
  • The helper adds `/data/.claude/projects` as a trusted Claude project and approves an API-key suffix.
  • `dist/index.cjs` spawns Codex/Claude PTY sessions with `acceptEdits` as the default permission mode.
Evidence against
  • `package.json` does not invoke the Claude config helper from `preinstall`, `prepare`, or `postinstall`.
  • Install-time `postinstall` only chmods node-pty's packaged `spawn-helper`; `preinstall` targets an absent unpacked script.
  • The config seeder requires direct execution plus caller-supplied `CLAUDE_CONFIG`; no CLI/library reference reaches it.
  • No source evidence of credential exfiltration, hidden remote payload execution, or destructive install behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.44 MB of source, external domains: github.com, json-schema.org
Oversized source lightweight scan
dist/cli.cjs6.87 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(require.resolve('node-pty'),'..','..','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(require.resolve('node-pty'),'..','..','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
547// src/platform.ts L548: import { execFileSync } from "child_process"; L549: import { existsSync } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L547
55} L56: function readAgentConfig(env = process.env) { L57: const enabled = isTruthy(env.MULTI_AGENT_FLOW); ... L160: try { L161: return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); L162: } catch { ... L179: const app = new Hono(); L180: app.post("/sessions/:sessionId/progress", async (c) => { L181: if (!deps.agentConfig.enabled) { ... L281: function configDir() { L282: return process.env.THREADBASE_CONFIG_DIR ?? join2(homedir(), ".threadbase"); L283: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L55
dist/index.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @threadbase-sh/streamer@1.25.0 matchedIdentity = npm:QHRocmVhZGJhc2Utc2gvc3RyZWFtZXI:1.25.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjsView on unpkg
106Cross-file remote execution chain: dist/index.cjs spawns dist/index.js; helper contains network access plus dynamic code execution. L106: } L107: function readAgentConfig(env = process.env) { L108: const enabled = isTruthy(env.MULTI_AGENT_FLOW); ... L211: try { L212: return import_node_crypto.default.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); L213: } catch { ... L230: const app = new import_hono.Hono(); L231: app.post("/sessions/:sessionId/progress", async (c) => { L232: if (!deps.agentConfig.enabled) { ... L332: function configDir() { L333: return process.env.THREADBASE_CONFIG_DIR ?? (0, import_path.join)((0, import_os.homedir)(), ".threadbase"); L334: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L106
dist/cli.cjsView file
path = dist/cli.cjs kind = oversized_source_file sizeBytes = 7201835 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.cjsView on unpkg
path = dist/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 7201835 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.cjsView on unpkg

Findings

2 Critical5 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/index.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.cjs
HighOversized Source Filedist/cli.cjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings