AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious install or import-time attack surface was found. The package ships a user-invoked Linux CLI binary and bundled webview/plugin runtime assets with expected AI-agent/MCP capabilities.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User explicitly runs trumbo or enables/loads plugins through the CLI.
Impact
Could operate as an AI/agent CLI with plugin and MCP capabilities when invoked, but static inspection did not show unconsented lifecycle mutation, credential harvesting, or exfiltration.
Mechanism
user-invoked native CLI with bundled plugin sandbox and webview assets
Rationale
The risky primitives are aligned with a user-invoked AI CLI and plugin platform, and there are no npm lifecycle hooks or source evidence of install-time control-surface hijacking, persistence, credential theft, or exfiltration. The native binary and agent/MCP capability increase review surface but do not establish malicious behavior by themselves.
Evidence
package.jsonbin/trumboextensions/plugin-sandbox-bootstrap.jshub/webview/index.htmlhub/webview/assets/jsx-Bz0zcwM4.jshub/webview/assets/mermaid-parser-BfrZ3jm6.jshub/webview/icon.ico
Decision evidence
public snapshotAI called this Clean at 74.0% confidence as Benign with medium false-positive risk.
Evidence for block
- bin/trumbo is a large native ELF executable with bundled Bun/agent code and references to Claude/MCP surfaces.
- extensions/plugin-sandbox-bootstrap.js dynamically imports user/plugin files and exposes plugin registrations including tools, commands, rules, and mcpServers.
- bin/trumbo contains strings for .mcp.json, CLAUDE.md, .claude, permissions, provider tokens, and agent settings, but these appear in bundled CLI/Claude configuration code.
Evidence against
- package.json has no lifecycle scripts; install does not run code or mutate files.
- Only declared entrypoint is user-invoked bin/trumbo.
- No package source shows install-time writes to foreign AI-agent control surfaces.
- Webview hot files are bundled syntax/highlighting/mermaid assets; scanner dynamic/network hits are library grammar/runtime noise.
- extensions/plugin-sandbox-bootstrap.js loads plugins from paths passed to the sandbox, not from npm install automatically.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcehub/webview/assets/jsx-Bz0zcwM4.jsView file
1var e=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"include":"#statements"},{"include":"#shebang"}],"repository":{"access-mod...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
hub/webview/assets/jsx-Bz0zcwM4.jsView on unpkg · L1hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space)
\r \v \xA0 \u2028\u2029 <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
hub/webview/assets/mermaid-parser-BfrZ3jm6.jsView on unpkg · L46bin/trumboView file
•path = bin/trumbo
kind = native_binary
sizeBytes = 122870080
magicHex = [redacted]
Medium
hub/webview/icon.icoView file
•path = hub/webview/icon.ico
kind = high_entropy_blob
sizeBytes = 40082
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
hub/webview/icon.icoView on unpkgFindings
1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodehub/webview/assets/mermaid-parser-BfrZ3jm6.js
HighShips High Entropy Blobhub/webview/icon.ico
MediumDynamic Requirehub/webview/assets/jsx-Bz0zcwM4.js
MediumNetwork
MediumProtestware
MediumShips Native Binarybin/trumbo
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License