registry  /  create-cmp-cli  /  0.3.0

create-cmp-cli@0.3.0

The AI delivery harness for Kotlin/Compose Multiplatform — scaffolds a green-building app (Android + iOS) in minutes and holds AI-driven changes to a machine-enforced verify lane with a committed evidence receipt. Installs the `create-cmp` command.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit scaffold copies a package-owned Claude Code Stop hook into the generated project. The generated Android debug app also starts a loopback-only inspector that can return UI data and accept local tap requests.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-cmp` to scaffold, then uses Claude Code in that project or runs its Android debug build.
Impact
The hook can block Claude turn completion pending a local verification receipt; a local forwarded debug inspector can expose app UI state and synthesize taps.
Mechanism
First-party agent lifecycle hook plus debug-only loopback UI inspection/control server.
Rationale
Source inspection confirms no install-time execution or exfiltration. The generated first-party Claude hook and debug inspector are real user-invoked control surfaces, so policy calls for warning rather than blocking.
Evidence
package.jsonbin/create-cmp.mjssrc/scaffold.mjstemplate/.claude/settings.jsontemplate/qa/receipt-check.mjstemplate/composeApp/src/androidDebug/kotlin/com/example/app/inspector/InspectorHttpServer.kttemplate/manifest.json
Network endpoints4
127.0.0.1:9500/inspect/health127.0.0.1:9500/inspect/tree127.0.0.1:9500/inspect/design-system127.0.0.1:9500/inspect/tap

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `template/.claude/settings.json` installs a Claude Stop hook that runs `node qa/receipt-check.mjs --hook` every turn.
  • `template/qa/receipt-check.mjs` can exit 2 to block a Claude stop event when its project receipt is invalid.
  • `template/composeApp/src/androidDebug/kotlin/com/example/app/inspector/InspectorHttpServer.kt` exposes debug screenshot/tree/tap controls.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` is publisher-only.
  • `bin/create-cmp.mjs` runs only after an explicit CLI invocation and imports local command modules.
  • The hook and inspector are copied only into the user-selected scaffold target, not foreign existing agent configuration.
  • Inspector binds loopback only and is confined to the Android debug source set.
  • No source evidence of credential harvesting, secret exfiltration, remote payload loading, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 196 KB of source, external domains: 127.0.0.1, get.maestro.mobile.dev, nodejs.org

Source & flagged code

5 flagged · loading source
template/gradlew.batView file
path = template/gradlew.bat kind = build_helper sizeBytes = 2872 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/gradlew.batView on unpkg
template/gradle/wrapper/gradle-wrapper.jarView file
path = template/gradle/wrapper/gradle-wrapper.jar kind = high_entropy_blob sizeBytes = 43583 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

template/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = template/gradle/wrapper/gradle-wrapper.jar kind = compressed_blob sizeBytes = 43583 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

template/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = template/gradle/wrapper/gradle-wrapper.jar kind = nested_archive_needs_inspection sizeBytes = 43583 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

template/gradle/wrapper/gradle-wrapper.jarView on unpkg
template/qa/verify.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = create-cmp-cli@0.2.0 matchedIdentity = npm:Y3JlYXRlLWNtcC1jbGk:0.2.0 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

template/qa/verify.mjsView on unpkg

Findings

2 High4 Medium6 Low
HighShips High Entropy Blobtemplate/gradle/wrapper/gradle-wrapper.jar
HighPrevious Version Dangerous Deltatemplate/qa/verify.mjs
MediumEnvironment Vars
MediumShips Build Helpertemplate/gradlew.bat
MediumShips Compressed Blobtemplate/gradle/wrapper/gradle-wrapper.jar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiontemplate/gradle/wrapper/gradle-wrapper.jar