registry  /  @cc-monitoring/proxy-core  /  0.1.2

@cc-monitoring/proxy-core@0.1.2

Claude Code 代理 + 监控 CLI(Fastify 代理服务器 + PM2 守护 + Web UI + 请求记录)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. Runtime proxy mode has risky but package-aligned behavior, including AI traffic logging and an enabled injected curl_proxy tool that can fetch arbitrary URLs if the model calls it.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the CLI/server and sends Claude API traffic with tools, or uses authenticated UI endpoints.
Impact
May expose proxied prompts/API keys/responses to local UI/database and allows model-mediated URL fetches from the proxy host, but no covert exfiltration or persistence was found.
Mechanism
runtime AI proxy with logging, model tool injection, arbitrary URL fetch tool, PM2 control, and claude CLI execution
Rationale
Static inspection shows a package-aligned Claude proxy/monitoring server with a risky enabled URL-fetch tool, but no concrete malicious chain or unconsented install-time mutation. Warn rather than block.
Evidence
package.jsondist/server/index.jsdist/server/proxy.jsdist/server/ui-route.jsdist/config/index.jsdist/utils/tool-injector.jsdist/utils/inject-loop.jsdist/tools/curl.tool.jsdist/tools/probe.tool.jslogs/proxy.loglogs/proxy.db
Network endpoints1
ark.cn-beijing.volces.com/api/coding

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/tools/curl.tool.js defines enabled curl_proxy tool that fetches arbitrary supplied URLs via fetch().
  • dist/utils/tool-injector.js injects all enabled tools into outbound Claude request bodies when tools exist.
  • dist/utils/inject-loop.js executes injected tool calls returned by the upstream model.
  • dist/server/proxy.js records full request headers/body, API keys, responses, and exposes request data through UI APIs.
  • dist/server/ui-route.js exposes authenticated /ui/api/exec to run claude -p <prompt>.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; prepublishOnly is publish-time only.
  • dist/server/index.js starts only when directly executed or under PM2, not on import alone.
  • dist/config/index.js default upstream is package-aligned for an AI proxy.
  • UI config/control/exec mutations use checkAuth in dist/server/ui-route.js.
  • No hardcoded attacker endpoint, covert exfiltration, destructive behavior, or AI-agent config mutation found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 361 file(s), 10.6 MB of source, external domains: ark.cn-beijing.volces.com, fb.me, github.com, reactjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/ui/assets/codeql-DsOJ9woJ.jsView file
1const e=Object.freeze(JSON.parse('{"displayName":"CodeQL","fileTypes":["ql","qll"],"name":"codeql","patterns":[{"include":"#module-member"}],"repository":{"abstract":{"match":"\\\\... L2: //# sourceMappingURL=codeql-DsOJ9woJ.js.map
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ui/assets/codeql-DsOJ9woJ.jsView on unpkg · L1
dist/server/ui-route.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cc-monitoring/proxy-core@0.1.1 matchedIdentity = npm:[redacted]:0.1.1 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/ui-route.jsView on unpkg

Findings

1 High5 Medium6 Low
HighPrevious Version Dangerous Deltadist/server/ui-route.js
MediumDynamic Requiredist/ui/assets/codeql-DsOJ9woJ.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings