registry  /  thinkpool-pair  /  0.7.156

thinkpool-pair@0.7.156

Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs thinkpool-pair CLI or explicitly invokes install-service/account/flow features.
Impact
Can run local agent sessions, share terminal/agent output to ThinkPool rooms, spawn additional Claude lanes, and persist as an OS user service when requested.
Mechanism
package-aligned agent bridge with optional persistent service and autonomous lane spawning
Policy narrative
Static inspection supports a legitimate but powerful ThinkPool local-agent bridge: it connects to ThinkPool/Supabase, starts Claude/other CLI sessions, can spawn autonomous lanes, and can install a user service when explicitly requested. I did not find npm lifecycle execution, unconsented foreign agent control-surface mutation, credential harvesting, or off-domain exfiltration.
Rationale
The risky primitives are package-aligned and user-invoked, with no lifecycle hook or concrete unconsented attack behavior. Because it provides agent orchestration and permission-bypass-capable lanes, warn rather than block.
Evidence
package.jsonbridge.mjsaccount.mjsservice.mjsauth-store.mjsbyok-detect.mjsflow-worktree.mjsflow-assembly.mjs~/.thinkpool-pair/auth.json~/.thinkpool-pair/dirs.json~/.thinkpool-pair/served.json~/.thinkpool-pair/default-dir~/Library/LaunchAgents/io.thinkpool.pair*.plist~/.config/systemd/user/io.thinkpool.pair*.service%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/thinkpool-pair-*.cmd.claude/worktrees
Network endpoints7
daytvtakmlixpfbbqzjd.supabase.cothinkpool.ioregistry.npmjs.org/thinkpool-pair/latestapi.anthropic.comapi.anthropic.com/v1/modelsopenrouter.ai/apiopenrouter.ai/api/v1/models

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bridge.mjs exposes agent tools that can spawn additional Claude lanes and may inherit bypassPermissions.
  • bridge.mjs flow dispatch opens autonomous flow lanes with mode 'bypassPermissions'.
  • service.mjs can create boot-persistent LaunchAgent/systemd/Startup entries, but only through installService CLI path.
  • account.mjs can spawn child bridge processes and auto-update via npx @latest when service env is set.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only bin thinkpool-pair.
  • Public Supabase anon key is labeled client credential, not a private secret.
  • service.mjs validates room codes before interpolating into service labels/commands.
  • auth-store.mjs stores only this package's account files under ~/.thinkpool-pair.
  • Network calls target package-aligned ThinkPool/Supabase/npm/model-provider endpoints.
  • No import-time foreign AI-agent config writes such as .mcp.json, CLAUDE.md, or global agent settings found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 29 file(s), 588 KB of source, external domains: api.anthropic.com, api.z.ai, daytvtakmlixpfbbqzjd.supabase.co, openrouter.ai, registry.npmjs.org, thinkpool.io, www.apple.com

Source & flagged code

6 flagged · loading source
bridge.mjsView file
95patternName = supabase_service_key severity = critical line = 95 matchedText = const SU...tqo'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bridge.mjsView on unpkg · L95
matchType = previous_version_dangerous_delta matchedPackage = thinkpool-pair@0.7.154 matchedIdentity = npm:dGhpbmtwb29sLXBhaXI:0.7.154 similarity = 0.815 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bridge.mjsView on unpkg
95patternName = supabase_service_key severity = critical line = 95 matchedText = const SU...tqo'
Critical
Secret Pattern

Supabase service role key (JWT) in bridge.mjs

bridge.mjsView on unpkg · L95
flow-assembly.mjsView file
14// L15: // Node built-ins ONLY (fs, path, child_process, zlib) — bridge ships as npm L16: // thinkpool-pair with no new deps. Pure over injected fs/git/gh/readFile so the
High
Child Process

Package source references child process execution.

flow-assembly.mjsView on unpkg · L14
service.mjsView file
22import path from 'node:path' L23: import { execSync } from 'node:child_process' L24: ... L26: // exactly one account service per machine (a second install replaces it). L27: // Room codes flow UNESCAPED into launchctl/systemd shell strings + plist paths, so L28: // this is the security chokepoint: reject anything that isn't a plain alnum code ... L44: // `home` is the platform-correct, runtime-expanded home token ("$HOME" on darwin under L45: // /bin/bash; "$$HOME" inside a systemd unit so systemd emits a literal $HOME to bash). L46: const cacheWipe = (home) => `rm -rf ${home}/.npm/_npx/*/node_modules/thinkpool-pair 2>/dev/null` ... L48: // The version installing the service. By DEFAULT the service is pinned to this exact L49: // version (not @latest) so a future bad npm publish can't auto-roll to every machine's L50: // always-on bridge — that's what spread the broken 0.7.49 on 2026-06-22. Updates become
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

service.mjsView on unpkg · L22
account.mjsView file
1/* account.mjs — account-mode bridge (Phase 1). L2: One `npx thinkpool-pair` per ACCOUNT instead of per room: L3: login — link this device to your ThinkPool account (realtime handoff). ... L8: Spec: docs/specs/2026-06-16-account-bridge.md */ L9: import { spawn } from 'node:child_process' L10: import { fileURLToPath } from 'node:url'
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

account.mjsView on unpkg · L1

Findings

3 Critical3 High4 Medium5 Low
CriticalCritical Secretbridge.mjs
CriticalPrevious Version Dangerous Deltabridge.mjs
CriticalSecret Patternbridge.mjs
HighChild Processflow-assembly.mjs
HighShell
HighRuntime Package Installaccount.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceservice.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License