registry  /  mulmoclaude  /  0.9.7

mulmoclaude@0.9.7

MulmoClaude — GUI-chat with Claude Code + long-term memory. One command to start.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. On explicit CLI launch, MulmoClaude starts a local Claude Code GUI server and installs a package-owned PostToolUse dispatcher in the active workspace. The dispatcher mirrors allowlisted skill files into the workspace’s `.claude/skills` and posts only to the authenticated local server. No npm install-time trigger or concrete credential exfiltration was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `mulmoclaude`/`npx mulmoclaude`; server startup provisions the workspace hook.
Impact
Persists package-owned Claude workspace automation and can load user-selected plugins; source shows no unconsented broad config mutation, remote payload retrieval, or exfiltration chain.
Mechanism
Explicit local AI-agent workspace hook and skill-bridge setup.
Rationale
Flagged agent-control behavior is real but occurs only after explicit user launch and is scoped to the package workspace with owner-marked updates. Scanner claims for Trojan Source, a secret, font entropy, and bundled HEIC dynamic code do not establish malicious behavior.
Evidence
package.jsonbin/mulmoclaude.jsserver/index.tsserver/api/auth/token.tsserver/workspace/hooks/provision.tsserver/workspace/hooks/handlers/skillBridge.tsserver/workspace/hooks/shared/sidecar.tsserver/plugins/runtime-loader.tssrc/config/firebaseConfig.tsclient/assets/chunk-KEIR6QF5-Dj-OpFgW.jsclient/assets/heic2any-EZu0dVlS.jsserver/workspace/hooks/dispatcher.ts
Network endpoints4
127.0.0.1localhost:<port>mulmoserver.firebaseapp.commulmoserver.firebasestorage.app

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `server/index.ts` startup writes a workspace `.claude` PostToolUse hook.
  • `server/workspace/hooks/provision.ts` overwrites its dispatcher and updates `.claude/settings.json` each launch.
  • `server/workspace/hooks/handlers/skillBridge.ts` mirrors allowlisted skill files into `.claude/skills`.
  • `server/plugins/runtime-loader.ts` dynamically imports user-installed runtime plugin bundles.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/mulmoclaude.js` is a user-invoked launcher; dynamic require resolves `tsx` package metadata.
  • `server/index.ts` binds HTTP to `127.0.0.1` and creates a random 0600 bearer-token file.
  • Hook callbacks use authenticated loopback URLs; port parsing rejects authority injection.
  • The Firebase value in `src/config/firebaseConfig.ts` is a public web-app config, not a harvested credential.
  • The client U+200B is a grammar-library suffix; HEIC `new Function` is bundled decoder code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 811 file(s), 12.3 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.slack.com, cdn.jsdelivr.net, cdn.tailwindcss.com, cdnjs.cloudflare.com, chevrotain.io, console.cloud.google.com, developer.spotify.com, developers.google.com, docs.devin.ai, docs.github.com, en.wikipedia.org, example.com, feeds.captivate.fm, fonts.bunny.net, github.com, images-na.ssl-images-amazon.com, json-schema.org, langium.org, linear.app, mcp.deepwiki.com, openlibrary.org, query1.finance.yahoo.com, v3-migration.vuejs.org, vuejs.org, www.amazon, www.notion.so, www.npmjs.com, www.w3.org, www.youtube-nocookie.com
Oversized source lightweight scan
client/assets/index-C29dYZy5.js5.11 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsv3-migration.vuejs.orgvuejs.org
client/assets/marp-Dx1eipfE.js3.24 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsUrlStringscdn.jsdelivr.netfonts.bunny.netwww.w3.org

Source & flagged code

9 flagged · loading source
src/config/firebaseConfig.tsView file
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
High Secret

Package contains a high-severity secret pattern.

src/config/firebaseConfig.tsView on unpkg · L11
11patternName = google_api_key severity = high line = 11 matchedText = apiKey: ...9s",
High
Secret Pattern

Google API key in src/config/firebaseConfig.ts

src/config/firebaseConfig.tsView on unpkg · L11
client/assets/heic2any-EZu0dVlS.jsView file
1import{t as e}from"./rolldown-runtime-CNC7AqOf.js";var t=e(((e,t)=>{(function(n,r,i,a){function o(){return C.isValid()}function s(){return C.isValid()}function c(){return C.isValid... L2: var Module=void 0!==Module?Module:{};(function(){var d={print:function(A){A=Array.prototype.slice.call(arguments).join(" "),console.log(A)},printErr:function(A){A=Array.prototype.s... L3: ;
Low
Eval

Package source references a known benign dynamic code generation pattern.

client/assets/heic2any-EZu0dVlS.jsView on unpkg · L1
bin/mulmoclaude.jsView file
21L22: const require = createRequire(import.meta.url); L23:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/mulmoclaude.jsView on unpkg · L21
client/assets/chunk-KEIR6QF5-Dj-OpFgW.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

client/assets/chunk-KEIR6QF5-Dj-OpFgW.jsView on unpkg · L46
sandbox-entrypoint.shView file
path = sandbox-entrypoint.sh kind = build_helper sizeBytes = 4502 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

sandbox-entrypoint.shView on unpkg
client/assets/material-icons-kAwBdRge.woff2View file
path = client/assets/material-icons-kAwBdRge.woff2 kind = high_entropy_blob sizeBytes = 128352 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

client/assets/material-icons-kAwBdRge.woff2View on unpkg
client/assets/index-C29dYZy5.jsView file
path = client/assets/index-C29dYZy5.js kind = oversized_source_file sizeBytes = 5359119 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

client/assets/index-C29dYZy5.jsView on unpkg
package.jsonView file
Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Critical4 High7 Medium6 Low
CriticalTrojan Source Unicodeclient/assets/chunk-KEIR6QF5-Dj-OpFgW.js
HighHigh Secretsrc/config/firebaseConfig.ts
HighShips High Entropy Blobclient/assets/material-icons-kAwBdRge.woff2
HighOversized Source Fileclient/assets/index-C29dYZy5.js
HighSecret Patternsrc/config/firebaseConfig.ts
MediumDynamic Requirebin/mulmoclaude.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpersandbox-entrypoint.sh
MediumStructural Risk Force Deep Review
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowEvalclient/assets/heic2any-EZu0dVlS.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings