AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a CLI bridge for ThinkPool rooms that intentionally connects local coding-agent CLIs to ThinkPool/Supabase services and can optionally install an autoupdate service.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs thinkpool-pair CLI or explicit service/provider/auth commands.
Impact
Runtime shares terminal/session events with configured ThinkPool room; optional persistence keeps the bridge running when requested.
Mechanism
User-invoked local agent bridge with optional supervised service install.
Rationale
Suspicious primitives are consistent with the declared CLI bridge: networking, token use, child-process spawning, and optional service persistence are visible and user-invoked. I found no install-time execution, covert exfiltration, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonbridge.mjsservice.mjsauth-store.mjsprovider.mjssession-store.mjsclaude-session.mjsbyok-detect.mjs~/.thinkpool-pair~/.config/systemd/user/thinkpool-pair-<room>.service~/Library/LaunchAgents/io.thinkpool.pair.<room>.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/thinkpool-pair-<room>.cmd
Network endpoints6
thinkpool.iodaytvtakmlixpfbbqzjd.supabase.coregistry.npmjs.org/thinkpool-pair/latestapi.anthropic.comopenrouter.ai/apiapi.z.ai/api/anthropic
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json exposes bin bridge.mjs, no install/preinstall/postinstall hooks.
- bridge.mjs has embedded Supabase anon JWT and sends bearer tokens to ThinkPool/Supabase APIs during explicit bridge runtime.
- service.mjs can install launchd/systemd/Windows startup persistence, but only through service commands, not install-time.
- bridge.mjs/claude-session.mjs spawn local agent CLI sessions and can auto-approve bounded spawned lanes as part of the product behavior.
Evidence against
- No lifecycle scripts execute on npm install; only release script is present.
- Network hosts are package-aligned: thinkpool.io, daytvtakmlixpfbbqzjd.supabase.co, registry.npmjs.org, provider model APIs.
- Auth-store/provider/session files write under ~/.thinkpool-pair or user-selected service paths for local state, not harvested secrets.
- No evidence of credential harvesting, arbitrary exfiltration, destructive action, or hidden payload loading in inspected source.
- Service persistence is user-invoked and room-code labels are validated in service.mjs.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebridge.mjsView file
94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
service.mjsView file
22import path from 'node:path'
L23: import { execSync } from 'node:child_process'
L24:
...
L26: // exactly one account service per machine (a second install replaces it).
L27: // Room codes flow UNESCAPED into launchctl/systemd shell strings + plist paths, so
L28: // this is the security chokepoint: reject anything that isn't a plain alnum code
...
L44: // `home` is the platform-correct, runtime-expanded home token ("$HOME" on darwin under
L45: // /bin/bash; "$$HOME" inside a systemd unit so systemd emits a literal $HOME to bash).
L46: const cacheWipe = (home) => `rm -rf ${home}/.npm/_npx/*/node_modules/thinkpool-pair 2>/dev/null`
...
L48: // The version installing the service. By DEFAULT the service is pinned to this exact
L49: // version (not @latest) so a future bad npm publish can't auto-roll to every machine's
L50: // always-on bridge — that's what spread the broken 0.7.49 on 2026-06-22. Updates become
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
service.mjsView on unpkg · L22Findings
2 Critical3 Medium5 Low
CriticalCritical Secretbridge.mjs
CriticalSecret Patternbridge.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceservice.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License