AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. On explicit CLI launch, MulmoClaude starts a local Claude Code GUI server and installs a package-owned PostToolUse dispatcher in the active workspace. The dispatcher mirrors allowlisted skill files into the workspace’s `.claude/skills` and posts only to the authenticated local server. No npm install-time trigger or concrete credential exfiltration was found.
Decision evidence
public snapshot- `server/index.ts` startup writes a workspace `.claude` PostToolUse hook.
- `server/workspace/hooks/provision.ts` overwrites its dispatcher and updates `.claude/settings.json` each launch.
- `server/workspace/hooks/handlers/skillBridge.ts` mirrors allowlisted skill files into `.claude/skills`.
- `server/plugins/runtime-loader.ts` dynamically imports user-installed runtime plugin bundles.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `bin/mulmoclaude.js` is a user-invoked launcher; dynamic require resolves `tsx` package metadata.
- `server/index.ts` binds HTTP to `127.0.0.1` and creates a random 0600 bearer-token file.
- Hook callbacks use authenticated loopback URLs; port parsing rejects authority injection.
- The Firebase value in `src/config/firebaseConfig.ts` is a public web-app config, not a harvested credential.
- The client U+200B is a grammar-library suffix; HEIC `new Function` is bundled decoder code.
Source & flagged code
9 flagged · loading sourcePackage contains a high-severity secret pattern.
src/config/firebaseConfig.tsView on unpkg · L11Google API key in src/config/firebaseConfig.ts
src/config/firebaseConfig.tsView on unpkg · L11Package source references a known benign dynamic code generation pattern.
client/assets/heic2any-EZu0dVlS.jsView on unpkg · L1Package source references dynamic require/import behavior.
bin/mulmoclaude.jsView on unpkg · L21Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/assets/chunk-KEIR6QF5-Dj-OpFgW.jsView on unpkg · L46Package ships non-JavaScript build or shell helper files.
sandbox-entrypoint.shView on unpkgPackage ships high-entropy non-source blobs.
client/assets/material-icons-kAwBdRge.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
client/assets/index-C29dYZy5.jsView on unpkgPackage manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkg