registry  /  mulmoclaude  /  0.9.2

mulmoclaude@0.9.2

MulmoClaude — GUI-chat with Claude Code + long-term memory. One command to start.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked Claude Code GUI/server that uses local subprocesses, localhost HTTP/WebSocket, optional relay/Firebase features, and package-aligned Claude hook integration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs npx mulmoclaude or mulmoclaude CLI.
Impact
Starts local service and may update its workspace support files; no unconsented install-time execution or exfiltration found.
Mechanism
local Claude GUI server with optional runtime hook and relay integrations
Rationale
Static inspection found risky primitives, but they are tied to the declared Claude GUI/runtime behavior and require explicit CLI/runtime use, not install/import execution. No credential harvesting, destructive persistence, hidden payload loader, or non-package-aligned network exfiltration was found.
Evidence
package.jsonbin/mulmoclaude.jsserver/index.tsserver/workspace/hooks/provision.tsserver/build/dispatcher.mjsserver/agent/backend/claude-code.tssrc/config/firebaseConfig.tsserver/events/relay-client.tsserver/api/routes/remoteHost.ts<workspace>/.claude/settings.json<workspace>/.claude/hooks/mulmoclaude-dispatcher.mjs<workspace>/.session-token<workspace>/.server-port<workspace>/.claude/skills/<slug>/SKILL.md
Network endpoints5
127.0.0.1:<port>localhost:<port>mulmoserver.firebaseapp.commulmoserver.firebasestorage.appRELAY_URL

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Runtime provisioning writes a Claude Code PostToolUse hook into <workspace>/.claude/settings.json and .claude/hooks/mulmoclaude-dispatcher.mjs.
  • bin/mulmoclaude.js uses child_process to check claude, spawn tsx server, and open localhost UI.
  • Remote-host/relay code can connect to Firebase or RELAY_URL when user enables those features.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; only bin entrypoint and prepack publisher script.
  • bin/mulmoclaude.js starts a localhost server only after user invokes the CLI and checks for Claude Code CLI.
  • server/index.ts binds to 127.0.0.1, writes per-startup bearer token, and protects /api routes with token/origin guards.
  • Hook provisioning is runtime, package-aligned, owner-marked, preserves non-MulmoClaude hooks, and is documented as needed for wiki/config/skill sync.
  • Firebase apiKey is documented public web config; no credential harvesting or exfiltration loop found in inspected source.
  • Large client JS, Mermaid parser, and woff2 are bundled frontend/assets, not staged executable payloads.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 763 file(s), 10.7 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.slack.com, cdn.jsdelivr.net, cdn.plot.ly, cdn.tailwindcss.com, cdnjs.cloudflare.com, chevrotain.io, console.cloud.google.com, developer.spotify.com, developers.google.com, docs.devin.ai, docs.github.com, en.wikipedia.org, example.com, feeds.captivate.fm, fonts.bunny.net, fonts.googleapis.com, fonts.gstatic.com, github.com, images-na.ssl-images-amazon.com, json-schema.org, langium.org, linear.app, mcp.deepwiki.com, openlibrary.org, query1.finance.yahoo.com, rolldown.rs, unpkg.com, v3-migration.vuejs.org, vuejs.org, www.amazon, www.notion.so, www.npmjs.com, www.w3.org, www.youtube-nocookie.com
Oversized source lightweight scan
client/assets/index-Dc0R-HW5.js5.10 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsv3-migration.vuejs.orgvuejs.org
client/assets/marp-CSq0PPfK.js3.24 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsUrlStringscdn.jsdelivr.netfonts.bunny.netwww.w3.org

Source & flagged code

9 flagged · loading source
src/config/firebaseConfig.tsView file
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
High Secret

Package contains a high-severity secret pattern.

src/config/firebaseConfig.tsView on unpkg · L11
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
Secret Pattern

Google API key in src/config/firebaseConfig.ts

src/config/firebaseConfig.tsView on unpkg · L11
src/plugins/spreadsheet/engine/evaluator.tsView file
336// eslint-disable -- sonarjs/code-eval L337: const evalResult = new Function(`return (${result})`)(); L338: return evalResult;
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/plugins/spreadsheet/engine/evaluator.tsView on unpkg · L336
bin/mulmoclaude.jsView file
21L22: const require = createRequire(import.meta.url); L23:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/mulmoclaude.jsView on unpkg · L21
client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function ka(e){let t=typeof e==`string`?new RegExp(e):e;return Oa.some(e=>t.test(e))}s(ka,`isWhitespace`);function Aa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}s(Aa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView on unpkg · L46
sandbox-entrypoint.shView file
path = sandbox-entrypoint.sh kind = build_helper sizeBytes = 4502 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

sandbox-entrypoint.shView on unpkg
client/assets/material-icons-kAwBdRge.woff2View file
path = client/assets/material-icons-kAwBdRge.woff2 kind = high_entropy_blob sizeBytes = 128352 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

client/assets/material-icons-kAwBdRge.woff2View on unpkg
client/assets/index-Dc0R-HW5.jsView file
path = client/assets/index-Dc0R-HW5.js kind = oversized_source_file sizeBytes = 5345860 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

client/assets/index-Dc0R-HW5.jsView on unpkg
package.jsonView file
Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Critical4 High7 Medium6 Low
CriticalTrojan Source Unicodeclient/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.js
HighHigh Secretsrc/config/firebaseConfig.ts
HighShips High Entropy Blobclient/assets/material-icons-kAwBdRge.woff2
HighOversized Source Fileclient/assets/index-Dc0R-HW5.js
HighSecret Patternsrc/config/firebaseConfig.ts
MediumDynamic Requirebin/mulmoclaude.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpersandbox-entrypoint.sh
MediumStructural Risk Force Deep Review
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowEvalsrc/plugins/spreadsheet/engine/evaluator.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings