AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a CLI bridge that shares local coding-agent sessions into ThinkPool rooms and optionally installs a user-requested background service.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs thinkpool-pair commands such as <ROOM>, login, provider, or install-service.
Impact
Expected local session sharing and optional boot persistence; no evidence of covert install-time execution, credential exfiltration, destructive behavior, or AI-agent control-surface mutation.
Mechanism
User-invoked realtime bridge, credential storage, service installer, and coding-agent process launcher.
Rationale
Static inspection found sensitive primitives, network use, and persistence, but they are explicit product features for a ThinkPool room bridge and provider configuration rather than covert behavior. With no lifecycle hooks, unrelated exfiltration endpoint, hidden payload, or unconsented persistence, the scanner findings are noisy.
Evidence
package.jsonbridge.mjsservice.mjsauth-store.mjsprovider.mjsbyok-detect.mjsaccount.mjssession-store.mjs~/.thinkpool-pair/auth.json~/.thinkpool-pair/provider.json~/.thinkpool-pair/dirs.json~/.thinkpool-pair/served.json~/.thinkpool-pair/default-dir~/Library/LaunchAgents/io.thinkpool.pair.*.plist~/.config/systemd/user/io.thinkpool.pair.*.service%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/thinkpool-pair-*.cmd
Network endpoints7
daytvtakmlixpfbbqzjd.supabase.cothinkpool.ioregistry.npmjs.org/thinkpool-pair/latestapi.anthropic.comapi.anthropic.com/v1/modelsopenrouter.ai/apiopenrouter.ai/api/v1/models
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Persistence support exists in service.mjs but is only reached by explicit install-service command.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin bridge.mjs and release script.
- bridge.mjs network targets are ThinkPool/Supabase room sync, npm update checks, and user/provider model APIs matching package purpose.
- bridge.mjs embeds a Supabase anon JWT, commented as public client credentials, not a private secret.
- auth-store.mjs/provider.mjs store user-supplied tokens locally under ~/.thinkpool-pair; no code found sending them to unrelated endpoints.
- service.mjs validates room codes before interpolating into launchd/systemd commands and pins service version by default.
- Shell/child_process use is tied to user-invoked CLI/service management and spawning selected coding-agent CLIs.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebridge.mjsView file
94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
service.mjsView file
22import path from 'node:path'
L23: import { execSync } from 'node:child_process'
L24:
...
L26: // exactly one account service per machine (a second install replaces it).
L27: // Room codes flow UNESCAPED into launchctl/systemd shell strings + plist paths, so
L28: // this is the security chokepoint: reject anything that isn't a plain alnum code
...
L44: // `home` is the platform-correct, runtime-expanded home token ("$HOME" on darwin under
L45: // /bin/bash; "$$HOME" inside a systemd unit so systemd emits a literal $HOME to bash).
L46: const cacheWipe = (home) => `rm -rf ${home}/.npm/_npx/*/node_modules/thinkpool-pair 2>/dev/null`
...
L48: // The version installing the service. By DEFAULT the service is pinned to this exact
L49: // version (not @latest) so a future bad npm publish can't auto-roll to every machine's
L50: // always-on bridge — that's what spread the broken 0.7.49 on 2026-06-22. Updates become
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
service.mjsView on unpkg · L22Findings
2 Critical3 Medium5 Low
CriticalCritical Secretbridge.mjs
CriticalSecret Patternbridge.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceservice.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License