AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The sensitive primitives are package-aligned for sharing a local coding agent into a ThinkPool room and are user-invoked, permission-gated, or bounded.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs thinkpool-pair, optionally install-service or room commands
Impact
No unconsented install-time execution, credential harvesting, or exfiltration confirmed
Mechanism
runtime agent bridge with Supabase/ThinkPool relay and optional user-installed service
Rationale
Static source inspection shows a powerful but declared remote coding-agent bridge, not hidden malware: no lifecycle execution, no covert credential collection, and persistence requires explicit user action. Scanner findings map to expected Supabase/ThinkPool networking, public anon credentials, and package-aligned service/agent orchestration controls.
Evidence
package.jsonbridge.mjsservice.mjsclaude-session.mjscross-terminal.mjsprovider.mjsauth-store.mjs
Network endpoints3
daytvtakmlixpfbbqzjd.supabase.cothinkpool.ioregistry.npmjs.org/thinkpool-pair/latest
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- bridge.mjs exposes remote room controls that can spawn PTYs/Claude sessions and relay agent messages, but these are runtime features of the CLI.
- service.mjs can install launchd/systemd/Startup persistence only via explicit install-service subcommand or interactive prompt.
- bridge.mjs embeds a Supabase anon JWT and ThinkPool URLs; comments identify it as public client credentials, not a private secret.
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks; only bin thinkpool-pair -> bridge.mjs.
- bridge.mjs term-open/file-put/code-turn handlers activate only after user runs the CLI and joins a ThinkPool room.
- claude-session.mjs gates write/cross-post tools through PreToolUse permission cards; cross-room post requires sender and recipient approval.
- cross-terminal.mjs enforces caps, hop limits, and kill-switches for read/post/spawn tools.
- service.mjs validates room codes before shell interpolation and pins service versions by default.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcebridge.mjsView file
94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
•matchType = previous_version_dangerous_delta
matchedPackage = thinkpool-pair@0.7.142
matchedIdentity = npm:dGhpbmtwb29sLXBhaXI:0.7.142
similarity = 0.889
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
bridge.mjsView on unpkg94patternName = supabase_service_key
severity = critical
line = 94
matchedText = const SU...tqo'
Critical
service.mjsView file
22import path from 'node:path'
L23: import { execSync } from 'node:child_process'
L24:
...
L26: // exactly one account service per machine (a second install replaces it).
L27: // Room codes flow UNESCAPED into launchctl/systemd shell strings + plist paths, so
L28: // this is the security chokepoint: reject anything that isn't a plain alnum code
...
L44: // `home` is the platform-correct, runtime-expanded home token ("$HOME" on darwin under
L45: // /bin/bash; "$$HOME" inside a systemd unit so systemd emits a literal $HOME to bash).
L46: const cacheWipe = (home) => `rm -rf ${home}/.npm/_npx/*/node_modules/thinkpool-pair 2>/dev/null`
...
L48: // The version installing the service. By DEFAULT the service is pinned to this exact
L49: // version (not @latest) so a future bad npm publish can't auto-roll to every machine's
L50: // always-on bridge — that's what spread the broken 0.7.49 on 2026-06-22. Updates become
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
service.mjsView on unpkg · L22Findings
3 Critical3 Medium5 Low
CriticalCritical Secretbridge.mjs
CriticalPrevious Version Dangerous Deltabridge.mjs
CriticalSecret Patternbridge.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceservice.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License