AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked AI terminal platform with package-controlled Claude hooks, localhost MCP tools, and guarded workspace skill seeding. This is dangerous agent-facing capability, but the inspected install hook does not perform unconsented foreign agent control-surface mutation.
Decision evidence
public snapshot- server/index.ts spawns Claude PTYs with package-supplied --settings hooks, --mcp-config, --strict-mcp-config, and auto-allowed GUI MCP tools.
- server/mcp/broker.ts exposes package/plugin MCP tools over localhost and dispatches tool calls to /api/plugin/<toolName>.
- server/host-tools.ts and server/index.ts define spawnBackgroundChat, an auto-allowed agent tool that starts parallel Claude sessions.
- server/backends/workspaceSetup.ts can sync preset skills into <managed workspace>/.claude/skills when CLAUDE_CWD is the managed mulmoclaude workspace.
- server/index.ts uses tmux for persistent terminal sessions when available.
- package.json postinstall only runs server/fix-pty-perms.js, which chmods node-pty prebuilds/*/spawn-helper; it does not write Claude/Codex/MCP config.
- bin/mulmoterminal.js activates server behavior only when the user runs the CLI, not on import/install.
- workspaceSetup.ts explicitly skips seeding unless workspace equals ~/mulmoclaude or MULMOCLAUDE_WORKSPACE_PATH.
- server/index.ts restricts browser socket origins to localhost/127.0.0.1/::1.
- No credential harvesting or external exfiltration endpoint found; update check only queries npm registry latest metadata.
Source & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
bin/mulmoterminal.jsView on unpkg · L7Manifest entrypoint contains risky behavior absent from dist/build output.
bin/mulmoterminal.jsView on unpkg · L7A single source file combines environment access, network access, and code or shell execution; review context before blocking.
bin/mulmoterminal.jsView on unpkg · L193Package source references dynamic require/import behavior.
server/plugins-registry.tsView on unpkg · L65Package source references weak cryptographic algorithms.
server/worktrees.tsView on unpkg · L6Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/assets/mermaid-parser.core-DC7NPJ_M-ylD2dn6D.jsView on unpkg · L46Package ships high-entropy non-source blobs.
dist/assets/material-symbols-outlined-DKJDg2oJ.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
dist/assets/marp-BlNCU8cR.jsView on unpkg