AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a user-invoked Claude Code GUI/server that uses local subprocesses, localhost HTTP/WebSocket, optional relay/Firebase features, and package-aligned Claude hook integration.
Decision evidence
public snapshot- Runtime provisioning writes a Claude Code PostToolUse hook into <workspace>/.claude/settings.json and .claude/hooks/mulmoclaude-dispatcher.mjs.
- bin/mulmoclaude.js uses child_process to check claude, spawn tsx server, and open localhost UI.
- Remote-host/relay code can connect to Firebase or RELAY_URL when user enables those features.
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin entrypoint and prepack publisher script.
- bin/mulmoclaude.js starts a localhost server only after user invokes the CLI and checks for Claude Code CLI.
- server/index.ts binds to 127.0.0.1, writes per-startup bearer token, and protects /api routes with token/origin guards.
- Hook provisioning is runtime, package-aligned, owner-marked, preserves non-MulmoClaude hooks, and is documented as needed for wiki/config/skill sync.
- Firebase apiKey is documented public web config; no credential harvesting or exfiltration loop found in inspected source.
- Large client JS, Mermaid parser, and woff2 are bundled frontend/assets, not staged executable payloads.
Source & flagged code
9 flagged · loading sourcePackage contains a high-severity secret pattern.
src/config/firebaseConfig.tsView on unpkg · L11Google API key in src/config/firebaseConfig.ts
src/config/firebaseConfig.tsView on unpkg · L11Package source references a known benign dynamic code generation pattern.
src/plugins/spreadsheet/engine/evaluator.tsView on unpkg · L336Package source references dynamic require/import behavior.
bin/mulmoclaude.jsView on unpkg · L21Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView on unpkg · L46Package ships non-JavaScript build or shell helper files.
sandbox-entrypoint.shView on unpkgPackage ships high-entropy non-source blobs.
client/assets/material-icons-kAwBdRge.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
client/assets/index-Dc0R-HW5.jsView on unpkgPackage manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkg