registry  /  mulmoclaude  /  0.9.3

mulmoclaude@0.9.3

MulmoClaude — GUI-chat with Claude Code + long-term memory. One command to start.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are aligned with a local Claude GUI/agent app and are activated by explicit CLI runtime use, not package install.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs npx mulmoclaude or the mulmoclaude bin.
Impact
Creates/updates app-owned workspace hooks and starts Claude Code subprocesses for user chat workflows.
Mechanism
local server launcher with workspace hook provisioning
Rationale
Static inspection shows an AI-agent GUI package that intentionally starts a localhost service and configures workspace-scoped Claude hooks for app features; there is no install-time execution, credential harvesting, external exfiltration, persistence outside the declared workspace behavior, or destructive payload. The automatic hook mutation is user-invoked and package-aligned rather than an unconsented lifecycle hijack.
Evidence
package.jsonbin/mulmoclaude.jsserver/index.tsserver/workspace/hooks/provision.tsserver/workspace/hooks/dispatcher.tsserver/workspace/hooks/handlers/skillBridge.tsserver/workspace/hooks/shared/sidecar.tssrc/config/firebaseConfig.ts.claude/settings.json.claude/hooks/mulmoclaude-dispatcher.mjs.session-token.server-port.claude/skills/<slug>/SKILL.md
Network endpoints5
127.0.0.1localhostmulmoserver.firebaseapp.comgithub.com/receptron/mulmoclaude.gitcdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall lifecycle hooks; only bin entry is bin/mulmoclaude.js.
    • bin/mulmoclaude.js runs only when invoked, checks claude --version, starts local server, and polls/opens localhost.
    • server/index.ts provisions Claude PostToolUse hooks at runtime for the app workspace, before spawning the Claude agent.
    • server/workspace/hooks/provision.ts writes a bounded dispatcher entry it owns and preserves unrelated user hooks.
    • server/workspace/hooks/dispatcher.ts only handles wiki snapshots, config refresh, and data/skills to .claude/skills mirroring.
    • src/config/firebaseConfig.ts contains public Firebase web config, explicitly documented as non-secret.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 768 file(s), 10.8 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.slack.com, cdn.jsdelivr.net, cdn.tailwindcss.com, cdnjs.cloudflare.com, chevrotain.io, console.cloud.google.com, developer.spotify.com, developers.google.com, docs.devin.ai, docs.github.com, en.wikipedia.org, example.com, feeds.captivate.fm, fonts.bunny.net, github.com, images-na.ssl-images-amazon.com, json-schema.org, langium.org, linear.app, mcp.deepwiki.com, openlibrary.org, query1.finance.yahoo.com, rolldown.rs, v3-migration.vuejs.org, vuejs.org, www.amazon, www.notion.so, www.npmjs.com, www.w3.org, www.youtube-nocookie.com
    Oversized source lightweight scan
    client/assets/index-40ErrJ4a.js5.11 MB file, sampled 256 KB
    NetworkChildProcessHighEntropyStringsMinifiedUrlStringsv3-migration.vuejs.orgvuejs.org
    client/assets/marp-Dh7C24F1.js3.24 MB file, sampled 256 KB
    ChildProcessObfuscatedHighEntropyStringsUrlStringscdn.jsdelivr.netfonts.bunny.netwww.w3.org

    Source & flagged code

    10 flagged · loading source
    src/config/firebaseConfig.tsView file
    11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
    High
    High Secret

    Package contains a high-severity secret pattern.

    src/config/firebaseConfig.tsView on unpkg · L11
    11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
    High
    Secret Pattern

    Google API key in src/config/firebaseConfig.ts

    src/config/firebaseConfig.tsView on unpkg · L11
    src/plugins/spreadsheet/engine/evaluator.tsView file
    336// eslint-disable -- sonarjs/code-eval L337: const evalResult = new Function(`return (${result})`)(); L338: return evalResult;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/plugins/spreadsheet/engine/evaluator.tsView on unpkg · L336
    bin/mulmoclaude.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = mulmoclaude@0.9.2 matchedIdentity = npm:bXVsbW9jbGF1ZGU:0.9.2 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    bin/mulmoclaude.jsView on unpkg
    21L22: const require = createRequire(import.meta.url); L23:
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/mulmoclaude.jsView on unpkg · L21
    client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView file
    46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function ka(e){let t=typeof e==`string`?new RegExp(e):e;return Oa.some(e=>t.test(e))}s(ka,`isWhitespace`);function Aa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}s(Aa,`escapeReg
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    client/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.jsView on unpkg · L46
    sandbox-entrypoint.shView file
    path = sandbox-entrypoint.sh kind = build_helper sizeBytes = 4502 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    sandbox-entrypoint.shView on unpkg
    client/assets/material-icons-kAwBdRge.woff2View file
    path = client/assets/material-icons-kAwBdRge.woff2 kind = high_entropy_blob sizeBytes = 128352 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    client/assets/material-icons-kAwBdRge.woff2View on unpkg
    client/assets/marp-Dh7C24F1.jsView file
    path = client/assets/marp-Dh7C24F1.js kind = oversized_source_file sizeBytes = 3395874 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    client/assets/marp-Dh7C24F1.jsView on unpkg
    package.jsonView file
    Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
    Medium
    Remote Tarball Dependency

    Package manifest contains a dependency pinned to a remote tarball URL.

    package.jsonView on unpkg

    Findings

    1 Critical5 High7 Medium6 Low
    CriticalTrojan Source Unicodeclient/assets/mermaid-parser.core-DC7NPJ_M-Ca6XzwfM.js
    HighHigh Secretsrc/config/firebaseConfig.ts
    HighShips High Entropy Blobclient/assets/material-icons-kAwBdRge.woff2
    HighOversized Source Fileclient/assets/marp-Dh7C24F1.js
    HighPrevious Version Dangerous Deltabin/mulmoclaude.js
    HighSecret Patternsrc/config/firebaseConfig.ts
    MediumDynamic Requirebin/mulmoclaude.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumShips Build Helpersandbox-entrypoint.sh
    MediumStructural Risk Force Deep Review
    MediumRemote Tarball Dependencypackage.json
    LowScripts Present
    LowEvalsrc/plugins/spreadsheet/engine/evaluator.ts
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings