registry  /  @namki1222/loomo  /  2.0.0

@namki1222/loomo@2.0.0

Weave your Claude Code & Codex sessions into a team that talks to each other — multi-agent messaging over tmux, no daemon, no MCP.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI is an explicit local AI-session orchestrator. It can modify selected project agent instructions, inject messages into tmux panes, and launch Codex without its sandbox. No install-time foreign control-surface mutation or covert exfiltration was found.

Static reason
No blocking static signals were detected.
Trigger
User runs `loomo add`, `loomo adopt`, `loomo hub`, `loomo up`, or opens the no-argument dashboard.
Impact
A user who configures untrusted projects or tmux sessions can grant coordinated agents broad local execution and pane-input control.
Mechanism
User-invoked agent configuration, tmux pane injection, and unsandboxed Codex launch.
Rationale
No concrete malicious payload, stealth persistence, or third-party credential exfiltration was found. Warn because the explicit product workflow modifies agent control files and disables Codex sandboxing for launched sessions.
Evidence
package.jsonbin/telllib/workspace.shlib/home.shtemplates/CLAUDE-section-role.en.mdtemplates/CLAUDE-section-hub.en.md$HOME/.claude/.credentials.json<user-selected-project>/AGENTS.md<user-selected-project>/CLAUDE.md$HOME/.config/loomo/workspaces.conf
Network endpoints1
api.anthropic.com/api/oauth/usage

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/tell` launches Codex with `--sandbox danger-full-access`.
  • `lib/workspace.sh` appends collaboration instructions to selected project `AGENTS.md`/`CLAUDE.md` files.
  • `bin/tell` injects supplied messages into tmux AI panes via `tmux send-keys`.
  • `lib/home.sh` reads Claude OAuth credentials and sends them to Anthropic's usage endpoint when the dashboard opens.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or import-time hook.
  • The credential-bearing request targets only `https://api.anthropic.com/api/oauth/usage`; no third-party exfiltration endpoint was found.
  • Agent setup, dependency installation, and project-file writes occur through documented user commands.
  • Templates disclose the tmux injection boundary and prohibit sending secrets.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
lib/common.shView file
path = lib/common.sh kind = build_helper sizeBytes = 1029 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/common.shView on unpkg

Findings

1 Medium1 Low
MediumShips Build Helperlib/common.sh
LowScripts Present