registry  /  mulmoclaude  /  0.9.4

mulmoclaude@0.9.4

MulmoClaude — GUI-chat with Claude Code + long-term memory. One command to start.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked MulmoClaude startup provisions a Claude Code PostToolUse hook and project-scope skills inside the app workspace. This is agent extension/control-surface behavior, but it is package-aligned and not npm install-time hijacking.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Running npx mulmoclaude / mulmoclaude CLI and starting the local server
Impact
Claude Code sessions launched from the MulmoClaude workspace receive package-managed hooks and broad allowed tool/MCP integration.
Mechanism
workspace-scoped Claude hook and skill bridge provisioning
Policy narrative
On CLI/server startup, the package creates its app workspace and installs a Claude Code PostToolUse dispatcher under that workspace's .claude directory. The dispatcher mirrors package/workspace skill files and calls back to the local server. This is a real agent-control extension surface, but inspection did not find npm lifecycle execution, global Claude config mutation, credential harvesting, or remote exfiltration.
Rationale
The package is an AI/Claude GUI that intentionally manages workspace-scoped Claude hooks, skills, MCP config, and local server callbacks after explicit CLI invocation. That warrants a warning for agent extension lifecycle risk, but not a publish block because the behavior is not install-time, is confined to the app workspace, and has no confirmed malicious exfiltration or persistence outside the platform contract.
Evidence
package.jsonbin/mulmoclaude.jsserver/index.tsserver/workspace/hooks/provision.tsserver/workspace/hooks/dispatcher.tsserver/workspace/hooks/handlers/skillBridge.tsserver/workspace/hooks/shared/sidecar.tsserver/agent/config.tssrc/config/firebaseConfig.ts~/mulmoclaude/.claude/settings.json~/mulmoclaude/.claude/hooks/mulmoclaude-dispatcher.mjs~/mulmoclaude/.claude/skills/<slug>/SKILL.md~/mulmoclaude/.session-token~/mulmoclaude/.server-port~/mulmoclaude/config/mcp.json
Network endpoints5
localhost:<port>127.0.0.1:<port>host.docker.internal:<port>mulmoserver.firebaseapp.comcdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • server/index.ts calls provisionDispatcherHook on user-invoked server startup
  • server/workspace/hooks/provision.ts writes <workspace>/.claude/settings.json and .claude/hooks/mulmoclaude-dispatcher.mjs
  • dispatcher handles PostToolUse Write/Edit/Bash and mirrors data/skills into .claude/skills
  • server/agent/config.ts pre-allows broad Claude/MCP tools including Bash, Write, Edit, WebFetch, WebSearch, Skill
Evidence against
  • package.json has no install/postinstall lifecycle hook
  • bin/mulmoclaude.js only runs when CLI is invoked and binds UI to localhost
  • hook writes are under the app workspace, default ~/mulmoclaude, not global ~/.claude
  • sidecar hardens callback host/port and posts only to loopback/host.docker.internal with bearer token
  • Firebase config is public project config; remote-host connect requires authenticated local API call
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 775 file(s), 10.8 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.slack.com, cdn.jsdelivr.net, cdn.tailwindcss.com, cdnjs.cloudflare.com, chevrotain.io, console.cloud.google.com, developer.spotify.com, developers.google.com, docs.devin.ai, docs.github.com, en.wikipedia.org, example.com, feeds.captivate.fm, fonts.bunny.net, github.com, images-na.ssl-images-amazon.com, json-schema.org, langium.org, linear.app, mcp.deepwiki.com, openlibrary.org, query1.finance.yahoo.com, rolldown.rs, v3-migration.vuejs.org, vuejs.org, www.amazon, www.notion.so, www.npmjs.com, www.w3.org, www.youtube-nocookie.com
Oversized source lightweight scan
client/assets/index-B3NxFcEH.js5.14 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsv3-migration.vuejs.orgvuejs.org
client/assets/marp-C9QDHFAJ.js3.24 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsUrlStringscdn.jsdelivr.netfonts.bunny.netwww.w3.org

Source & flagged code

10 flagged · loading source
src/config/firebaseConfig.tsView file
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
High Secret

Package contains a high-severity secret pattern.

src/config/firebaseConfig.tsView on unpkg · L11
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
Secret Pattern

Google API key in src/config/firebaseConfig.ts

src/config/firebaseConfig.tsView on unpkg · L11
src/plugins/spreadsheet/engine/evaluator.tsView file
336// eslint-disable -- sonarjs/code-eval L337: const evalResult = new Function(`return (${result})`)(); L338: return evalResult;
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/plugins/spreadsheet/engine/evaluator.tsView on unpkg · L336
bin/mulmoclaude.jsView file
21L22: const require = createRequire(import.meta.url); L23:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/mulmoclaude.jsView on unpkg · L21
client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function ka(e){let t=typeof e==`string`?new RegExp(e):e;return Oa.some(e=>t.test(e))}s(ka,`isWhitespace`);function Aa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}s(Aa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView on unpkg · L46
sandbox-entrypoint.shView file
path = sandbox-entrypoint.sh kind = build_helper sizeBytes = 4502 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

sandbox-entrypoint.shView on unpkg
client/assets/material-icons-kAwBdRge.woff2View file
path = client/assets/material-icons-kAwBdRge.woff2 kind = high_entropy_blob sizeBytes = 128352 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

client/assets/material-icons-kAwBdRge.woff2View on unpkg
client/assets/index-B3NxFcEH.jsView file
path = client/assets/index-B3NxFcEH.js kind = oversized_source_file sizeBytes = 5386941 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

client/assets/index-B3NxFcEH.jsView on unpkg
package.jsonView file
Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
server/api/routes/config.tsView file
matchType = previous_version_dangerous_delta matchedPackage = mulmoclaude@0.9.3 matchedIdentity = npm:bXVsbW9jbGF1ZGU:0.9.3 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/api/routes/config.tsView on unpkg

Findings

1 Critical5 High7 Medium6 Low
CriticalTrojan Source Unicodeclient/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.js
HighHigh Secretsrc/config/firebaseConfig.ts
HighShips High Entropy Blobclient/assets/material-icons-kAwBdRge.woff2
HighOversized Source Fileclient/assets/index-B3NxFcEH.js
HighPrevious Version Dangerous Deltaserver/api/routes/config.ts
HighSecret Patternsrc/config/firebaseConfig.ts
MediumDynamic Requirebin/mulmoclaude.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpersandbox-entrypoint.sh
MediumStructural Risk Force Deep Review
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowEvalsrc/plugins/spreadsheet/engine/evaluator.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings