registry  /  @claudiolabs/claudin  /  0.7.0

@claudiolabs/claudin@0.7.0

Claudin — Claude Code opened to any LLM (OpenAI, Gemini, DeepSeek, Ollama, and 200+ models)

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. The package is an AI/agent CLI with broad user-invoked integrations, but lifecycle execution is limited to fast-path cache warmup.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall or explicit claudin subcommands
Impact
No unconsented foreign agent control-surface mutation, credential exfiltration, persistence, or destructive behavior confirmed.
Mechanism
package-aligned CLI warmup and user-invoked agent integrations
Rationale
Static inspection found risky agent/network primitives, but they are package-aligned and user-invoked; the postinstall path only runs --version/--help fast paths and writes a package cache. No concrete malicious behavior or unconsented lifecycle mutation of a foreign AI-agent control surface was established.
Evidence
package.jsonscripts/postinstall-warmup.mjsbin/claudindist/cli.mjsscripts/v8cache-gc.mjsdist/chunks/registerSubcommands-0.7.0-r5wmbkz9.mjsdist/chunks/bridgeMain-0.7.0-7n73zfpq.mjsdist/claudin-vscode.vsix~/.claudin/v8cache
Network endpoints4
claude.ai/codecode.claude.com/docs/en/mcpapi.openai.com127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall: node scripts/postinstall-warmup.mjs
  • postinstall spawns bin/claudin --version and --help
  • Runtime CLI includes user-invoked MCP, plugin, Claude Desktop import, and remote-control commands
Evidence against
  • dist/cli.mjs short-circuits --version/--help before importing main runtime or startup update code
  • scripts/postinstall-warmup.mjs sets CLAUDIN_V8CACHE_GC=0 and only warms cache with ignored stdio/timeouts
  • bin/claudin install path creates package-owned ~/.claudin/v8cache only
  • Claude Desktop/MCP writes are exposed as explicit CLI subcommands, not lifecycle-triggered
  • Remote control is explicit, prompts before enablement, and checks HTTPS/localhost base URL
  • VSIX starts a local 127.0.0.1 MCP IDE server with random auth token; it is shipped, not lifecycle-installed
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 450 file(s), 8.11 MB of source, external domains: 1.1.1.1, 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, anthropic.com, api.anthropic.com, api.cloudflare.com, api.deepseek.com, api.githubcopilot.com, api.groq.com, api.kimi.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.openai.com, api.together.xyz, api.x.ai, api.z.ai, app.corridor.dev, auth.openai.com, beacon.claude-ai.staging.ant.dev, bedrock-runtime.us-east-1.amazonaws.com, chatgpt.com, clau.de, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, code.claude.com, coding-intl.dashscope.aliyuncs.com, coding.dashscope.aliyuncs.com, docs.anthropic.com, docs.aws.amazon.com, docs.claude.com, docs.expo.dev, duckduckgo.com, example.com, external-content.duckduckgo.com, fonts.googleapis.com, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, git-scm.com, github.com, hooks.example.com, integrate.api.nvidia.com, json-schema.org, json.schemastore.org, links.duckduckgo.com, llm.bankr.bot
Oversized source lightweight scan
dist/chunks/cli-0.7.0-7g132rdj.mjs3.45 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringsexample.comraw.githubusercontent.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-warmup.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/chunks/openaiShim-0.7.0-9bq5572t.mjsView file
11patternName = generic_password severity = medium line = 11 matchedText = [Content...in(`
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/chunks/openaiShim-0.7.0-9bq5572t.mjsView on unpkg · L11
dist/chunks/cli-0.7.0-m9eza7ry.mjsView file
6- too many long flags`);throw Error(`${_} L7: - unrecognised flag format`)}if(J===void 0&&Q===void 0)throw Error(`option creation failed due to no flags found in '${z}'.`);return{shortFlag:J,longFlag:Q}}import{EventEmitter as ... L8: `)}displayWidth(z){return k(z).length}styleTitle(z){return z}styleUsage(z){return z.split(" ").map((J)=>{if(J==="[options]")return this.styleOptionText(J);if(J==="[command]")return...
High
Child Process

Package source references child process execution.

dist/chunks/cli-0.7.0-m9eza7ry.mjsView on unpkg · L6
dist/chunks/cli-0.7.0-9jzkqcfv.mjsView file
1import{W6 as k2,Y6 as x8}from"./cli-0.7.0-es6y6s82.mjs";import{$6 as mZ,_6 as h}from"./cli-0.7.0-g2ekvm09.mjs";import{k7 as d5,m7 as w8}from"./cli-0.7.0-aewz8nz4.mjs";import{$7 as ... L2: `;await H0("security",["-i"],{input:q,reject:!1}),x("tengu_api_key_saved_to_keychain",{}),$=!0}catch(Q){N(Q),x("tengu_api_key_keychain_error",{error:p(Q)}),x("tengu_api_key_saved_t...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/cli-0.7.0-9jzkqcfv.mjsView on unpkg · L1
1import{W6 as k2,Y6 as x8}from"./cli-0.7.0-es6y6s82.mjs";import{$6 as mZ,_6 as h}from"./cli-0.7.0-g2ekvm09.mjs";import{k7 as d5,m7 as w8}from"./cli-0.7.0-aewz8nz4.mjs";import{$7 as ... L2: `;await H0("security",["-i"],{input:q,reject:!1}),x("tengu_api_key_saved_to_keychain",{}),$=!0}catch(Q){N(Q),x("tengu_api_key_keychain_error",{error:p(Q)}),x("tengu_api_key_saved_t...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunks/cli-0.7.0-9jzkqcfv.mjsView on unpkg · L1
dist/chunks/index-0.7.0-fx8935ev.mjsView file
1import{Lpa as ve,Mpa as L}from"./cli-0.7.0-1evcxwvq.mjs";import{Npa as _e}from"./cli-0.7.0-1vvj7vh2.mjs";import{Qpa as Ke,Tpa as he,Upa as Se}from"./cli-0.7.0-w0nw2kkk.mjs";import{... L2: - loopback CIDR 127.0.0.0/8 or [::1/128] L3: - ECS container host 169.254.170.2 L4: - EKS container host 169.254.170.23 or [fd00:ec2::23]`,{logger:j})};ye.checkUrl=Ae});var Ce=H((B)=>{Object.defineProperty(B,"__esModule",{value:!0});B.resolveHttpHandlerRuntimeConf... L5: Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`,{logger:f.logger});let n=new URL(j);(0,ut.checkUrl)(n,f.logger);let r=nt.NodeHttpHandler.create({...
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunks/index-0.7.0-fx8935ev.mjsView on unpkg · L1
dist/chunks/index-0.7.0-hwyk7tea.mjsView file
20contains invisible/control Unicode U+200B (zero width space) \v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F !"#$٪&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_\`abcdefghijklmnopqrstuvwxyz{|}~°·∙√▒─│┼┤┬├┴┐┌└┘β∞φ±½¼≈«»ﻷﻸ��ﻻﻼ� ­ﺂ£¤ﺄ��ﺎﺏﺕﺙ،ﺝﺡﺥ٠١٢٣٤٥٦٧٨٩ﻑ؛ﺱﺵﺹ؟
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunks/index-0.7.0-hwyk7tea.mjsView on unpkg · L20
dist/chunks/cli-0.7.0-h6kfhzzd.mjsView file
1Cross-file remote execution chain: dist/chunks/cli-0.7.0-h6kfhzzd.mjs spawns dist/chunks/cli-0.7.0-5ktz31fq.mjs; helper contains network access plus dynamic code execution. L1: import{Xea as o6,afa as aW}from"./cli-0.7.0-twxrndmz.mjs";import{ifa as Vq,kfa as c6,lfa as hI}from"./cli-0.7.0-tcxmyk2w.mjs";import{Hfa as Q3,vfa as S1}from"./cli-0.7.0-m07xma4d.m... L2: `;try{$.appendFileSync(Q,Y)}catch{try{$.mkdirSync(eL(Q)),$.appendFileSync(Q,Y)}catch{}}}function Z_(){return process.env.CLAUDE_CODE_DIAGNOSTICS_FILE}async function gP(Z,q,J){let Q... L3: `)){let Q=J.match(/^(ID|VERSION_ID)=(.*)$/);if(Q&&Q[1]&&Q[2]){let X=Q[2].replace(/^"|"$/g,"");if(Q[1]==="ID")Z.linuxDistroId=X;else Z.linuxDistroVersion=X}}}catch{}return Z})});imp... L4: `).filter(Boolean),Q=r().toLowerCase();for(let X of J){let $=R6.resolve(X).toLowerCase();if(R6.dirname($).toLowerCase()===Q||$.startsWith(Q+R6.sep)){x(`Skipping potentially malicio... ... L17: `)}catch(Y){if(W0(Y)==="ENOENT")await XR(X,`${J} L18: `,"utf-8");else throw Y}}catch(J){f(J)}}var k$=B(()=>{q1();C1();b4();R2();p0()});function F2(Z,q=!1){let J=Z.length,Q=0,X="",$=0,Y=16,H=0,K=0,W=0,U=0,V=0;function L(M,O){let T=0,j=... L19: `;break;case 114:M+="\…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunks/cli-0.7.0-h6kfhzzd.mjsView on unpkg · L1
dist/chunks/defaultActionDeps-0.7.0-3msvjhye.mjsView file
1import"./cli-0.7.0-zjfpqpke.mjs";import{n as a,p as DG,q as IG,r as _B,s as aB}from"./cli-0.7.0-0r9dgw51.mjs";import"./cli-0.7.0-jvkyhn8x.mjs";import"./cli-0.7.0-brqbb2d5.mjs";impo... L2: `)),process.exit(1);if(PI()==="windows")process.stderr.write(Q.red(`Error: --tmux is not supported on Windows ... L26: 1. **Code review** — Invoke the \`${Qg}\` tool with \`skill: "code-review"\` and \`args: "medium"\` to get a correctness-bug report on your changes, then fix every reported bug bef... L27: 2. **Run unit tests** — Run the project's test suite (check for package.json scripts, Makefile targets, or common commands like \`npm test\`, \`bun test\`, \`pytest\`, \`go test\`)... L28: 3. **Test end-to-end** — Follow the e2e test recipe from the coordinator's prompt (below). If the recipe says to skip e2e for this unit, skip it. ... L352: `;let Z=I.target?`Review target: \`${I.target}\` L353: `:"";return`${B}${Z}${pb[g]}${I.comment?Eb:""}${I.fix?_b:""}`}function Ug(){$({name:"code-review",description:"Review the current diff for correctness bugs and reuse/simplification... L354: `).slice(-kG).join(` ... L459: Do not add anything to \`permissions.deny\` or \`permissions.ask\`. Do not touc
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/chunks/defaultActionDeps-0.7.0-3msvjhye.mjsView on unpkg · L1
dist/claudin-vscode.vsixView file
path = dist/claudin-vscode.vsix kind = high_entropy_blob sizeBytes = 91168 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = compressed_blob sizeBytes = 91168 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = nested_archive_needs_inspection sizeBytes = 91168 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/claudin-vscode.vsixView on unpkg
dist/chunks/cli-0.7.0-7g132rdj.mjsView file
path = dist/chunks/cli-0.7.0-7g132rdj.mjs kind = oversized_source_file sizeBytes = 3619569 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/cli-0.7.0-7g132rdj.mjsView on unpkg
dist/chunks/bridgeMain-0.7.0-7n73zfpq.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @claudiolabs/claudin@0.6.14 matchedIdentity = npm:QGNsYXVkaW9sYWJzL2NsYXVkaW4:0.6.14 similarity = 0.675 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/bridgeMain-0.7.0-7n73zfpq.mjsView on unpkg
dist/chunks/cli-0.7.0-ad4z1hfv.mjsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{q...tml>
Medium
Secret Pattern

Hardcoded password in dist/chunks/cli-0.7.0-ad4z1hfv.mjs

dist/chunks/cli-0.7.0-ad4z1hfv.mjsView on unpkg · L1

Findings

2 Critical11 High7 Medium6 Low
CriticalTrojan Source Unicodedist/chunks/index-0.7.0-hwyk7tea.mjs
CriticalPrevious Version Dangerous Deltadist/chunks/bridgeMain-0.7.0-7n73zfpq.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunks/cli-0.7.0-m9eza7ry.mjs
HighShell
HighSame File Env Network Executiondist/chunks/cli-0.7.0-9jzkqcfv.mjs
HighCommand Output Exfiltrationdist/chunks/cli-0.7.0-9jzkqcfv.mjs
HighCloud Metadata Accessdist/chunks/index-0.7.0-fx8935ev.mjs
HighCross File Remote Execution Contextdist/chunks/cli-0.7.0-h6kfhzzd.mjs
HighBase64 Obscured Urldist/chunks/defaultActionDeps-0.7.0-3msvjhye.mjs
HighObfuscated
HighShips High Entropy Blobdist/claudin-vscode.vsix
HighOversized Source Filedist/chunks/cli-0.7.0-7g132rdj.mjs
MediumSecret Patterndist/chunks/openaiShim-0.7.0-9bq5572t.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobdist/claudin-vscode.vsix
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/chunks/cli-0.7.0-ad4z1hfv.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectiondist/claudin-vscode.vsix