registry  /  @claudiolabs/claudin  /  0.7.1

@claudiolabs/claudin@0.7.1

Claudin — Claude Code opened to any LLM (OpenAI, Gemini, DeepSeek, Ollama, and 200+ models)

AI Security Review

scanned 6d ago · by lpm-firewall-ai

Install-time hook warms the CLI by invoking --version and --help, which populates a package-owned V8 cache. Runtime agent, MCP, plugin, OAuth, and provider network features are package-aligned and user-invoked, not confirmed attack behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install; later explicit claudin CLI use
Impact
No confirmed credential exfiltration, destructive action, persistence, or unconsented foreign AI-agent control-surface mutation.
Mechanism
postinstall CLI warmup plus user-invoked AI agent tooling
Rationale
Source inspection shows the install hook executes only fast-path CLI warmup and writes package-owned V8 cache, while broader MCP/plugin/network capabilities are expected runtime features of an AI CLI. No concrete malicious behavior or unconsented lifecycle mutation of a foreign/broad agent control surface was found.
Evidence
package.jsonscripts/postinstall-warmup.mjsbin/claudinscripts/v8cache-gc.mjsdist/cli.mjsdist/chunks/mcp-0.7.1-79bgprwt.mjsdist/chunks/claudeDesktop-0.7.1-pxv7ev3t.mjsdist/chunks/plugin-0.7.1-je74p85s.mjs~/.claudin/v8cache

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall-warmup.mjs
  • postinstall-warmup.mjs spawnSync runs bin/claudin --version and --help during install
  • bin/claudin creates package-owned ~/.claudin/v8cache via module.enableCompileCache
  • CLI includes user-invoked MCP/plugin/agent/provider functionality
Evidence against
  • dist/cli.mjs --version/--help return before main, startup update, auth, MCP, plugin, or provider validation imports
  • No install-time writes to .mcp.json, CLAUDE.md, .claude, Codex/Cursor settings, or Claude Desktop config found
  • scripts/postinstall-warmup.mjs sets CLAUDIN_V8CACHE_GC=0 and stdio ignore; no network code in hook
  • MCP/Claude Desktop/plugin code is tied to explicit CLI commands or runtime agent features
  • Bundled/minified dist explains obfuscation and large-file scanner noise
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 450 file(s), 8.12 MB of source, external domains: 1.1.1.1, 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, anthropic.com, api.anthropic.com, api.cloudflare.com, api.deepseek.com, api.githubcopilot.com, api.groq.com, api.kimi.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.openai.com, api.together.xyz, api.x.ai, api.z.ai, app.corridor.dev, auth.openai.com, beacon.claude-ai.staging.ant.dev, bedrock-runtime.us-east-1.amazonaws.com, chatgpt.com, clau.de, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, code.claude.com, coding-intl.dashscope.aliyuncs.com, coding.dashscope.aliyuncs.com, docs.anthropic.com, docs.aws.amazon.com, docs.claude.com, docs.expo.dev, duckduckgo.com, example.com, external-content.duckduckgo.com, fonts.googleapis.com, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, git-scm.com, github.com, hooks.example.com, integrate.api.nvidia.com, json-schema.org, json.schemastore.org, links.duckduckgo.com, llm.bankr.bot
Oversized source lightweight scan
dist/chunks/cli-0.7.1-k3wrch69.mjs3.45 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringsexample.comraw.githubusercontent.com

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-warmup.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/chunks/cli-0.7.1-b1q31fh8.mjsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{q...tml>
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/chunks/cli-0.7.1-b1q31fh8.mjsView on unpkg · L1
dist/chunks/cli-0.7.1-rt9yw2nh.mjsView file
1import{Aia as pg,Nia as U4}from"./cli-0.7.1-mxjp359f.mjs";import{Ypa as ir,Zpa as N,_pa as fg}from"./cli-0.7.1-f6nk5cs1.mjs";import{execFile as l4}from"child_process";import{promis... L2: `).filter((o)=>o.startsWith("worktree ")).map((o)=>o.slice(9).normalize("NFC"))}catch{return[]}}var I4;var Cg=N(()=>{I4=c4(l4)});function hg(r){let i=0;for(let o=0;o<r.length;o++)i...
High
Child Process

Package source references child process execution.

dist/chunks/cli-0.7.1-rt9yw2nh.mjsView on unpkg · L1
dist/chunks/cli-0.7.1-3eywakdr.mjsView file
1import{L0 as o,O0 as OJ}from"./cli-0.7.1-qkcd1qhy.mjs";import{Gba as HJ,Rca as D,f$ as G,h$ as BJ,nea as q,tca as v,vea as E,wba as i,x8 as K,y8 as I}from"./cli-0.7.1-jpemgywy.mjs"... L2: exec "${J}/node_modules/.bin/claudin" "$@"`,493))await JJ(Q,493);return!0}catch(J){return q(J),!1}}async function EJ(J,Q){try{if(!await $J())return"install_failed";let Z=await K("n... L3: `)}catch(Q){if(p(Q))return null;throw Q}}async function n(J,Q){let Y=await qJ(J,"w");try{await Y.writeFile(Q.join(`
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunks/cli-0.7.1-3eywakdr.mjsView on unpkg · L1
dist/chunks/cli-0.7.1-jpemgywy.mjsView file
1import{Xea as o6,afa as aW}from"./cli-0.7.1-ebdykdv4.mjs";import{ifa as Vq,kfa as c6,lfa as hI}from"./cli-0.7.1-rz6n3grv.mjs";import{Hfa as Q3,vfa as S1}from"./cli-0.7.1-bmqpkffh.m... L2: `;try{$.appendFileSync(Q,Y)}catch{try{$.mkdirSync(eL(Q)),$.appendFileSync(Q,Y)}catch{}}}function Z_(){return process.env.CLAUDE_CODE_DIAGNOSTICS_FILE}async function gP(Z,q,J){let Q... L3: `)){let Q=J.match(/^(ID|VERSION_ID)=(.*)$/);if(Q&&Q[1]&&Q[2]){let X=Q[2].replace(/^"|"$/g,"");if(Q[1]==="ID")Z.linuxDistroId=X;else Z.linuxDistroVersion=X}}}catch{}return Z})});imp... L4: `).filter(Boolean),Q=r().toLowerCase();for(let X of J){let $=R6.resolve(X).toLowerCase();if(R6.dirname($).toLowerCase()===Q||$.startsWith(Q+R6.sep)){x(`Skipping potentially malicio...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/cli-0.7.1-jpemgywy.mjsView on unpkg · L1
33`,$):Z.indexOf(10,$);if(Y===-1)break;$=Y+1;let H=q(Z,$);if(H.values.length>0)X=X.concat(H.values);if(!H.error||H.done||H.read>=J)break;$=H.read}return X}function TR(Z){let q=Z.leng... L34: `,Q);if($===-1)$=J;let Y=q.substring(Q,$).trim();if(Q=$+1,!Y)continue;try{X.push(JSON.parse(Y))}catch{}}return X}function V3(Z){if(p$)return AR(Z);if(typeof Z==="string")return jR(... L35: `)Y-=1,H+=1;else if(W==="u"&&q[H+2]==="{")H=q.indexOf("}",H+3);else H+=gR[W]??1}}let $=Q===Z.length;if(!$)J.push(Z.slice(Q));return{nextTokens:J,leadingWhitespaces:X,trailingWhites... L36: `]),gR={x:3,u:5}});import M3 from"node:process";var S0=(Z)=>l4.includes(Z),l4,w0,n4=(Z)=>w0[Z]??`stdio[${Z}]`;var Y1=B(()=>{l4=[M3.stdin,M3.stdout,M3.stderr],w0=["stdin","stdout","...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunks/cli-0.7.1-jpemgywy.mjsView on unpkg · L33
1Cross-file remote execution chain: dist/chunks/cli-0.7.1-jpemgywy.mjs spawns dist/chunks/cli-0.7.1-rt9yw2nh.mjs; helper contains network access plus dynamic code execution. L1: import{Xea as o6,afa as aW}from"./cli-0.7.1-ebdykdv4.mjs";import{ifa as Vq,kfa as c6,lfa as hI}from"./cli-0.7.1-rz6n3grv.mjs";import{Hfa as Q3,vfa as S1}from"./cli-0.7.1-bmqpkffh.m... L2: `;try{$.appendFileSync(Q,Y)}catch{try{$.mkdirSync(eL(Q)),$.appendFileSync(Q,Y)}catch{}}}function Z_(){return process.env.CLAUDE_CODE_DIAGNOSTICS_FILE}async function gP(Z,q,J){let Q... L3: `)){let Q=J.match(/^(ID|VERSION_ID)=(.*)$/);if(Q&&Q[1]&&Q[2]){let X=Q[2].replace(/^"|"$/g,"");if(Q[1]==="ID")Z.linuxDistroId=X;else Z.linuxDistroVersion=X}}}catch{}return Z})});imp... L4: `).filter(Boolean),Q=r().toLowerCase();for(let X of J){let $=R6.resolve(X).toLowerCase();if(R6.dirname($).toLowerCase()===Q||$.startsWith(Q+R6.sep)){x(`Skipping potentially malicio... ... L17: `)}catch(Y){if(W0(Y)==="ENOENT")await XR(X,`${J} L18: `,"utf-8");else throw Y}}catch(J){f(J)}}var k$=B(()=>{q1();C1();b4();R2();p0()});function F2(Z,q=!1){let J=Z.length,Q=0,X="",$=0,Y=16,H=0,K=0,W=0,U=0,V=0;function L(M,O){let T=0,j=... L19: `;break;case 114:M+="\…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunks/cli-0.7.1-jpemgywy.mjsView on unpkg · L1
dist/chunks/cli-0.7.1-88kwyk7r.mjsView file
1import{Xpa as y,_pa as b}from"./cli-0.7.1-f6nk5cs1.mjs";var P0=y(($w)=>{$w.HttpAuthLocation=void 0;(function($){$.HEADER="header",$.QUERY="query"})($w.HttpAuthLocation||($w.HttpAut... L2: `).slice(0,5).filter((T)=>!T.includes("stackTraceWarning")).join(`
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunks/cli-0.7.1-88kwyk7r.mjsView on unpkg · L1
dist/chunks/index-0.7.1-4xrmd4xj.mjsView file
20contains invisible/control Unicode U+200B (zero width space) \v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F !"#$٪&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_\`abcdefghijklmnopqrstuvwxyz{|}~°·∙√▒─│┼┤┬├┴┐┌└┘β∞φ±½¼≈«»ﻷﻸ��ﻻﻼ� ­ﺂ£¤ﺄ��ﺎﺏﺕﺙ،ﺝﺡﺥ٠١٢٣٤٥٦٧٨٩ﻑ؛ﺱﺵﺹ؟
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunks/index-0.7.1-4xrmd4xj.mjsView on unpkg · L20
dist/chunks/defaultActionDeps-0.7.1-xqmrxq95.mjsView file
1import"./cli-0.7.1-xjaebq17.mjs";import{n as a,p as DG,q as IG,r as oB,s as nB}from"./cli-0.7.1-dw2af4d2.mjs";import"./cli-0.7.1-mky7mf90.mjs";import"./cli-0.7.1-3y886h54.mjs";impo... L2: `)),process.exit(1);if(PI()==="windows")process.stderr.write(Q.red(`Error: --tmux is not supported on Windows ... L26: 1. **Code review** — Invoke the \`${Qg}\` tool with \`skill: "code-review"\` and \`args: "medium"\` to get a correctness-bug report on your changes, then fix every reported bug bef... L27: 2. **Run unit tests** — Run the project's test suite (check for package.json scripts, Makefile targets, or common commands like \`npm test\`, \`bun test\`, \`pytest\`, \`go test\`)... L28: 3. **Test end-to-end** — Follow the e2e test recipe from the coordinator's prompt (below). If the recipe says to skip e2e for this unit, skip it. ... L407: L408: `)+X}function ug(){S({name:"create",description:"Create or refine Claudin customizations — skills, rules, and custom agents — in the project (.claudin/) or global (~/.claudin/) str... L409: `).slice(-kG).join(` ... L514: Do not add anything to \`permissions.deny\` or \`permissions.ask\`. Do not touch any other settings field.`}function Tg(){S({na
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/chunks/defaultActionDeps-0.7.1-xqmrxq95.mjsView on unpkg · L1
dist/claudin-vscode.vsixView file
path = dist/claudin-vscode.vsix kind = high_entropy_blob sizeBytes = 91168 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = compressed_blob sizeBytes = 91168 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = nested_archive_needs_inspection sizeBytes = 91168 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/claudin-vscode.vsixView on unpkg
dist/chunks/cli-0.7.1-k3wrch69.mjsView file
path = dist/chunks/cli-0.7.1-k3wrch69.mjs kind = oversized_source_file sizeBytes = 3619919 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/cli-0.7.1-k3wrch69.mjsView on unpkg
dist/chunks/cli-0.7.1-vc1w3czg.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @claudiolabs/claudin@0.7.0 matchedIdentity = npm:QGNsYXVkaW9sYWJzL2NsYXVkaW4:0.7.0 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/cli-0.7.1-vc1w3czg.mjsView on unpkg
dist/chunks/openaiShim-0.7.1-z2g9xzcq.mjsView file
11patternName = generic_password severity = medium line = 11 matchedText = [Content...in(`
Medium
Secret Pattern

Hardcoded password in dist/chunks/openaiShim-0.7.1-z2g9xzcq.mjs

dist/chunks/openaiShim-0.7.1-z2g9xzcq.mjsView on unpkg · L11

Findings

2 Critical11 High8 Medium6 Low
CriticalTrojan Source Unicodedist/chunks/index-0.7.1-4xrmd4xj.mjs
CriticalPrevious Version Dangerous Deltadist/chunks/cli-0.7.1-vc1w3czg.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunks/cli-0.7.1-rt9yw2nh.mjs
HighShell
HighSame File Env Network Executiondist/chunks/cli-0.7.1-jpemgywy.mjs
HighCommand Output Exfiltrationdist/chunks/cli-0.7.1-jpemgywy.mjs
HighCloud Metadata Accessdist/chunks/cli-0.7.1-88kwyk7r.mjs
HighCross File Remote Execution Contextdist/chunks/cli-0.7.1-jpemgywy.mjs
HighBase64 Obscured Urldist/chunks/defaultActionDeps-0.7.1-xqmrxq95.mjs
HighObfuscated
HighShips High Entropy Blobdist/claudin-vscode.vsix
HighOversized Source Filedist/chunks/cli-0.7.1-k3wrch69.mjs
MediumSecret Patterndist/chunks/cli-0.7.1-b1q31fh8.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunks/cli-0.7.1-3eywakdr.mjs
MediumProtestware
MediumShips Compressed Blobdist/claudin-vscode.vsix
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/chunks/openaiShim-0.7.1-z2g9xzcq.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectiondist/claudin-vscode.vsix