registry  /  thinkpool-pair  /  0.7.147

thinkpool-pair@0.7.147

Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked ThinkPool bridge for sharing local coding-agent terminals to a room; risky primitives are aligned with that advertised function and gated by CLI/login/room actions.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs thinkpool-pair, logs in, joins a room, or explicitly runs install-service/provider/bind commands.
Impact
Local agent activity and selected project context can be relayed to the user's ThinkPool room as intended; no evidence of covert exfiltration, install-time execution, destructive payload, or hidden persistence.
Mechanism
Realtime bridge for local coding-agent sessions with optional user-installed service persistence.
Rationale
Static inspection found powerful network, shell, service, and AI-agent orchestration behavior, but it matches the package's stated bridge functionality and is activated by explicit runtime commands rather than install/import hooks. I found no hardcoded private credential, covert credential/file harvesting, hidden payload, or unconsented lifecycle mutation of AI-agent controls.
Evidence
package.jsonbridge.mjsaccount.mjsservice.mjsauth-store.mjsprovider.mjsclaude-session.mjsbyok-detect.mjsREADME.md~/.thinkpool-pair/auth.json~/.thinkpool-pair/provider.json~/.thinkpool-pair/dirs.json~/.thinkpool-pair/served.json~/Library/LaunchAgents/io.thinkpool.pair.*.plist~/.config/systemd/user/io.thinkpool.pair.*.service%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/thinkpool-pair-*.cmd
Network endpoints7
daytvtakmlixpfbbqzjd.supabase.cothinkpool.ioregistry.npmjs.org/thinkpool-pair/latestapi.anthropic.comopenrouter.ai/apiapi.z.ai/api/anthropiclocalhost:4000

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bridge.mjs exposes remote room control surfaces that can open terminals, relay input, download room files, and spawn Claude lanes when the user runs the CLI.
  • service.mjs can write launchd/systemd/Startup persistence, but only via explicit install-service command.
  • bridge.mjs/account.mjs poll npm registry and can restart/update only in service/update flows.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only bin thinkpool-pair -> bridge.mjs and release script.
  • bridge.mjs embedded JWT is documented Supabase anon client key, not a private secret; owner tokens come from user login/env and are not hardcoded.
  • Network traffic is package-aligned: ThinkPool Supabase, thinkpool.io APIs, npm registry update checks, and user-configured BYOK/model endpoints.
  • auth-store.mjs/provider.mjs store user-selected auth/provider data under ~/.thinkpool-pair with mode 0600 for sensitive files; no broad credential harvesting found.
  • service.mjs validates room codes before shell/service interpolation and persistence is user-invoked, not install/import-time.
  • claude-session.mjs adds ThinkPool-specific agent prompts and permission gates at runtime; no unconsented lifecycle AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 27 file(s), 559 KB of source, external domains: api.anthropic.com, api.z.ai, daytvtakmlixpfbbqzjd.supabase.co, openrouter.ai, registry.npmjs.org, thinkpool.io, www.apple.com

Source & flagged code

3 flagged · loading source
bridge.mjsView file
94patternName = supabase_service_key severity = critical line = 94 matchedText = const SU...tqo'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bridge.mjsView on unpkg · L94
94patternName = supabase_service_key severity = critical line = 94 matchedText = const SU...tqo'
Critical
Secret Pattern

Supabase service role key (JWT) in bridge.mjs

bridge.mjsView on unpkg · L94
service.mjsView file
22import path from 'node:path' L23: import { execSync } from 'node:child_process' L24: ... L26: // exactly one account service per machine (a second install replaces it). L27: // Room codes flow UNESCAPED into launchctl/systemd shell strings + plist paths, so L28: // this is the security chokepoint: reject anything that isn't a plain alnum code ... L44: // `home` is the platform-correct, runtime-expanded home token ("$HOME" on darwin under L45: // /bin/bash; "$$HOME" inside a systemd unit so systemd emits a literal $HOME to bash). L46: const cacheWipe = (home) => `rm -rf ${home}/.npm/_npx/*/node_modules/thinkpool-pair 2>/dev/null` ... L48: // The version installing the service. By DEFAULT the service is pinned to this exact L49: // version (not @latest) so a future bad npm publish can't auto-roll to every machine's L50: // always-on bridge — that's what spread the broken 0.7.49 on 2026-06-22. Updates become
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

service.mjsView on unpkg · L22

Findings

2 Critical3 Medium5 Low
CriticalCritical Secretbridge.mjs
CriticalSecret Patternbridge.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceservice.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License