registry  /  neural-loom  /  0.4.0-rc.11

neural-loom@0.4.0-rc.11

NeuralLoom is a local Next.js orchestration cockpit and terminal bridge designed to manage multiple concurrent terminal agent sessions (such as **Claude Code** and **Aider**) in isolated or overlapping workspaces. It streams pseudo-terminal (PTY) streams

AI Security Review

scanned 10d ago · by lpm-firewall-ai

The package is a user-invoked local AI orchestration dashboard with shell, file, git, SQL, and agent controls. These are powerful but package-aligned features guarded to localhost by default, with no confirmed malicious install-time or covert behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the neural-loom CLI or starts/uses dashboard sessions.
Impact
Local workspace files and commands may be read, written, or executed through intended dashboard controls.
Mechanism
local dashboard launching Next.js, PTY-backed agents, and workspace helper files
Rationale
Static inspection shows dangerous primitives are explicit local-dashboard functionality, not install-time execution, covert exfiltration, persistence, or unconsented AI-agent control hijacking. The workspace AI config writes are visible NeuralLoom feature plumbing and are triggered through dashboard/session use, with localhost origin guards in place.
Evidence
package.jsonbin/cli.jssrc/middleware.tssrc/lib/security.tssrc/lib/agents/ContextManager.tssrc/lib/agents/SessionManager.tssrc/lib/agents/ClaudeRunner.tssrc/lib/agents/AiderRunner.tssrc/app/api/files/route.tssrc/app/api/git/route.tssrc/app/api/feedback/route.ts.claude/commands/ccp.md.claude/commands/ccc.md.mcp.json.ai/neural-loom/cprompt.md.ai/neural-loom/ccontext.md
Network endpoints4
localhost:9600127.0.0.1:9600127.0.0.1:9601dpcorbett/neural-loom

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/cli.js starts a local Next.js dashboard via child_process.spawn.
  • src/lib/agents/ClaudeRunner.ts and AiderRunner.ts spawn Claude/Aider or Docker on explicit session start.
  • src/lib/agents/ContextManager.ts writes .claude commands, .mcp.json, and .ai/neural-loom context files for the workspace.
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly is build-only and not consumer install-time.
  • bin/cli.js binds to 127.0.0.1 by default; LAN requires NEURAL_LOOM_ALLOW_LAN or NEURAL_LOOM_HOST opt-in.
  • src/middleware.ts and src/lib/security.ts reject non-local Host/Origin for API routes by default.
  • src/lib/agents/ContextManager.ts writes transparent NeuralLoom slash commands and an MCP SQL bridge, not hidden reviewer/prompt hijack text.
  • src/app/api/feedback/route.ts uses local gh CLI only after user-submitted feedback; no bundled token or covert endpoint.
  • No credential harvesting or external exfiltration endpoint found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 73 file(s), 622 KB of source, external domains: cli.github.com, www.docker.com

Source & flagged code

8 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = neural-loom@0.3.5 matchedIdentity = npm:bmV1cmFsLWxvb20:0.3.5 similarity = 0.676 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
3L4: const { spawn } = require('child_process'); L5: const path = require('path');
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L3
3L4: const { spawn } = require('child_process'); L5: const path = require('path'); ... L8: const readline = require('readline'); L9: const http = require('http'); L10: L11: let wsRoot = process.argv[3] || process.env.ORIGINAL_CWD || process.cwd(); L12: wsRoot = path.resolve(wsRoot).replace(/\\/g, '/');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/cli.jsView on unpkg · L3
src/lib/agents/AiderRunner.tsView file
79const useCmd = isWindows(); L80: const shellPath = useCmd ? (process.env.COMSPEC || "cmd.exe") : findGitBash(); L81: if (!shellPath) {
High
Shell

Package source references shell execution.

src/lib/agents/AiderRunner.tsView on unpkg · L79
src/app/api/sessions/stats/route.tsView file
14/* eslint-disable @typescript-eslint/no-require-imports */ L15: const pidusage = eval("require")("pidusage"); L16: const stat = await pidusage(pid);
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/app/api/sessions/stats/route.tsView on unpkg · L14
src/lib/agents/ClaudeRunner.tsView file
78L79: // Check if 'claude' command exists in PATH, fallback to npx if not L80: let baseCmd = "claude"; ... L82: const checkCmd = isWindows() ? "where.exe claude" : "which claude"; L83: execSync(checkCmd, { env: customEnv, stdio: "ignore" }); L84: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/agents/ClaudeRunner.tsView on unpkg · L78
bin/fix-pwa-ubuntu.shView file
path = bin/fix-pwa-ubuntu.sh kind = build_helper sizeBytes = 1700 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fix-pwa-ubuntu.shView on unpkg
.next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2View file
path = .[redacted]-s.0zgw-jeven.3w.woff2 kind = high_entropy_blob sizeBytes = 6204 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2View on unpkg

Findings

1 Critical5 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShellsrc/lib/agents/AiderRunner.ts
HighSame File Env Network Executionbin/cli.js
HighRuntime Package Installsrc/lib/agents/ClaudeRunner.ts
HighShips High Entropy Blob.next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fix-pwa-ubuntu.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/app/api/sessions/stats/route.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License