registry  /  @go-hare/claude-code  /  2.6.23

@go-hare/claude-code@2.6.23

Reverse-engineered Anthropic Claude Code CLI — interactive AI coding assistant in the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface in the distributed wrapper source. Install-time behavior only places a selected platform binary from a package-owned optional dependency.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or explicit claude CLI invocation
Impact
No credential harvesting, exfiltration, destructive action, persistence, or AI-agent control-surface mutation is established.
Mechanism
platform binary selection and local copy/link or execution
Rationale
Static hints arise from a normal postinstall native-binary wrapper pattern. Direct inspection finds no concrete malicious behavior in the shipped source; referenced optional dependency payloads are not present in this package.
Evidence
package.jsoninstall.cjscli-wrapper.cjsbin/claude.exe

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall runs only install.cjs.
    • install.cjs selects a platform-owned optional dependency and copies/links its executable to bin/claude.exe.
    • install.cjs has no network, credential collection, eval, or agent-config writes.
    • bin/claude.exe is a short error-message shell stub, not a native payload.
    • cli-wrapper.cjs only resolves the matching optional dependency and launches it with user CLI arguments.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystem
    Supply chainNo supply-chain packaging signals triggered.
    Manifest
    NoLicense
    scanned 2 file(s), 8.13 KB of source

    Source & flagged code

    3 flagged · loading source
    package.jsonView file
    scripts.postinstall = node install.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node install.cjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    bin/claude.exeView file
    path = bin/claude.exe kind = native_binary sizeBytes = 495 magicHex = [redacted]
    Medium
    Ships Native Binary

    Package ships native binary artifacts.

    bin/claude.exeView on unpkg

    Findings

    1 High3 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumEnvironment Vars
    MediumShips Native Binarybin/claude.exe
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowNo License