registry  /  @luckydraw/cumulus  /  0.31.35

@luckydraw/cumulus@0.31.35

RLM-based CLI chat wrapper for Claude with external history context management

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A user starts the CLI/gateway and submits a message that causes the configured model to invoke a tool; persistence additionally requires explicit setup confirmation.
Impact
A compromised or prompt-influenced configured model could execute commands, modify accessible files, or send data to model-selected URLs under the user's permissions.
Mechanism
Agent-directed shell, file, and HTTP capabilities with optional first-party gateway service setup.
Rationale
Source inspection does not support a malicious verdict, but the agentic shell/file/network toolchain is a real dangerous dual-use capability requiring a warning. The scanner's lifecycle and persistence signals are package-aligned and user-invoked rather than covert.
Evidence
package.jsondist/lib/gateway.jsdist/lib/version-check.jsdist/lib/tools/bash.jsdist/lib/tools/write.jsdist/lib/tools/edit.jsdist/lib/tools/web-fetch.jsdist/gateway/setup.jsdist/lib/tools/read.jsdist/lib/tools/web-search.jsdist/gateway/server.js
Network endpoints3
api.search.brave.com/res/v1/web/search127.0.0.1:8090plastic.luckydraw.dev/app/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/tools/bash.js` exposes an agent-callable shell executor.
  • `dist/lib/tools/write.js` and `dist/lib/tools/edit.js` expose agent-callable file mutation.
  • `dist/lib/tools/web-fetch.js` permits agent-directed arbitrary HTTP requests.
  • `dist/gateway/setup.js` can install persistent user services, but only from explicit `cumulus-gateway setup` interaction.
  • `dist/lib/version-check.js` can run global npm updates only through its explicit update function.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepare` only invokes Husky.
  • `dist/gateway/setup.js` asks before LaunchAgent/systemd installation and skips it for non-TTY setup.
  • `dist/lib/gateway.js` spawns the configured Claude CLI for user/runtime messages rather than at import or install time.
  • No inspected code showed credential harvesting, hidden exfiltration, encoded payload execution, or foreign AI-agent configuration writes.
  • Gateway service and config paths are package-owned under `~/.cumulus`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 79 file(s), 1.73 MB of source, external domains: 127.0.0.1, api.search.brave.com, app.texitool.com, plastic.luckydraw.dev, registry.npmjs.org, router.huggingface.co, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/tui/hooks/useClaudeProcess.jsView file
3*/ L4: import { spawn } from 'child_process'; L5: import { useCallback, useRef } from 'react';
High
Child Process

Package source references child process execution.

dist/tui/hooks/useClaudeProcess.jsView on unpkg · L3
dist/lib/gateway.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @luckydraw/cumulus@0.31.31 matchedIdentity = npm:QGx1Y2t5ZHJhdy9jdW11bHVz:0.31.31 similarity = 0.885 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/gateway.jsView on unpkg
1676// Windows: spawn() can't directly exec .cmd/.bat shims (CVE-2024-27980). L1677: // Routing through cmd.exe is required for the npm-installed `claude.cmd`. L1678: const isWindowsShim = process.platform === 'win32' && /\.(cmd|bat|ps1)$/i.test(resolvedClaudePath);
High
Shell

Package source references shell execution.

dist/lib/gateway.jsView on unpkg · L1676
dist/gateway/server.jsView file
16*/ L17: import { execFileSync } from 'child_process'; L18: import * as crypto from 'crypto'; L19: import * as fs from 'fs'; L20: import * as http from 'http'; L21: import * as os from 'os'; ... L126: try { L127: res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`); L128: } ... L284: const raw = await readBody(req); L285: body = JSON.parse(raw); L286: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/gateway/server.jsView on unpkg · L16
dist/gateway/setup.jsView file
7*/ L8: import { execSync } from 'child_process'; L9: import { randomBytes } from 'crypto'; ... L12: import * as path from 'path'; L13: const CUMULUS_DIR = process.env.CUMULUS_DIR || path.join(os.homedir(), '.cumulus'); L14: const CONFIG_PATH = path.join(CUMULUS_DIR, 'gateway.config.json'); ... L17: '.git', L18: 'package.json', L19: 'Cargo.toml', ... L70: const readline = await import('readline'); L71: const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); L72: const prompt = defaultValue ? `${question} [${defaultValue}]: ` : `${question}: `;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/gateway/setup.jsView on unpkg · L7
dist/lib/version-check.jsView file
179// ─── Perform update ────────────────────────────────────────── L180: /** Check if sudo is needed for global npm install */ L181: export async function needsSudo() { L182: const { execSync } = await import('child_process'); L183: try {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/version-check.jsView on unpkg · L179

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/lib/gateway.js
HighChild Processdist/tui/hooks/useClaudeProcess.js
HighShelldist/lib/gateway.js
HighRuntime Package Installdist/lib/version-check.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/gateway/setup.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/gateway/server.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings