registry  /  @go-hare/claude-code  /  2.6.24

@go-hare/claude-code@2.6.24

Reverse-engineered Anthropic Claude Code CLI — interactive AI coding assistant in the terminal

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Postinstall performs a package-local native-launcher installation from declared platform optional dependencies.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or explicit execution of the `claude` launcher
Impact
Installs or executes the package's intended platform-specific CLI binary; no source-confirmed exfiltration, remote fetch, persistence, or foreign control-surface mutation.
Mechanism
Platform detection and local optional-dependency binary placement/launch
Rationale
The static signals are explained by a conventional npm native-binary wrapper. Direct inspection found package-local binary selection and copying only, with no concrete malicious behavior.
Evidence
package.jsoninstall.cjscli-wrapper.cjsbin/claude.exe

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` runs `node install.cjs` on postinstall.
  • `install.cjs` replaces `bin/claude.exe` with a platform optional-dependency binary.
Evidence against
  • `install.cjs` has no network, credential, or environment-harvesting logic.
  • Postinstall resolves only declared `@go-hare/claude-code-*` optional packages.
  • Writes are limited to the package-local `bin/claude.exe` launcher.
  • `cli-wrapper.cjs` only selects and launches the matching local binary.
  • Bundled `bin/claude.exe` is a shell error stub, not a native payload.
  • No AI-agent configuration or broad user-directory mutation appears in packaged source.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 8.13 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/claude.exeView file
path = bin/claude.exe kind = native_binary sizeBytes = 495 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/claude.exeView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Native Binarybin/claude.exe
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License