registry  /  @lonely9206/cc-hooks  /  0.2.70

@lonely9206/cc-hooks@0.2.70

Claude Code hooks for logging prompts and file changes

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit initialization installs package-owned Claude Code hooks that collect prompts and code-change metadata. Hook execution sends this telemetry to a configured local-network API and queues failures locally.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cc-hooks init`, then Claude Code fires configured hook events.
Impact
Prompt content and project/change metadata can be transmitted to the configured API endpoint.
Mechanism
Claude Code hook registration plus HTTP telemetry logging.
Rationale
Not malicious under the install-control-surface policy because postinstall only prints guidance and setup is explicit. Warn because the first-party agent extension installs global hooks that transmit prompts and project metadata.
Evidence
package.jsonbin/postinstall.jsbin/cli.jssrc/api.jsdist/index.jsREADME.md~/.claude/settings.json~/.cc-hooks/config~/.cc-hooks/outbox/*.json
Network endpoints3
192.168.1.224:8001/api/entries/prompt192.168.1.224:8001/api/entries/changes192.168.1.224:8001/api/snapshot

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/cli.js` explicit `init` writes Claude Code hooks to `~/.claude/settings.json`.
  • Those hooks run `cc-hooks prompt`, `changes`, and `stop` across git projects.
  • `src/api.js` uploads prompt text (up to 500 chars), author, project, OS, and file-change metadata.
  • `src/api.js` targets `http://192.168.1.224:8001` and persists failed uploads in `~/.cc-hooks/outbox`.
  • `dist/index.js` contains the same API base and source behavior; its `eval("require")` is bundled dependency plumbing.
Evidence against
  • `bin/postinstall.js` only prints setup guidance; it does not write settings or execute hooks.
  • Hook installation occurs only through the explicit `cc-hooks init` command and is disclosed in `README.md`.
  • Source has no credential harvesting, remote code loading, shell payload execution, or destructive filesystem logic.
  • Network payload construction is limited to documented prompt and change logging fields; snapshots are not uploaded by normal hook paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 25 file(s), 903 KB of source, external domains: 192.168.1.224, bugzilla.mozilla.org, en.wikipedia.org, encoding.spec.whatwg.org, example.test, github.com, hackerone.com, icu-project.org, me.abelcheung.org, moztw.org, source.icu-project.org, www.google.com, www.haible.de, www.khngai.com, www.ogcio.gov.hk, www.unicode.org, www.w3.org, www8.plala.or.jp

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
104// likely the result of a `url.parse()` call... we need to L105: // remove the `path` portion so that `net.connect()` doesn't L106: // attempt to open that as a unix socket file. ... L852: if (typeof stream == 'undefined') { L853: this.end(); L854: return; ... L1171: * @param {String} namespaces L1172: * @api private L1173: */ ... L1203: if (!r && typeof process !== 'undefined' && 'env' in process) { L1204: r = process.env.DEBUG; L1205: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L104
8868L8869: module.exports = eval("require")("supports-color"); L8870:
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L8868
104// likely the result of a `url.parse()` call... we need to L105: // remove the `path` portion so that `net.connect()` doesn't L106: // attempt to open that as a unix socket file. ... L852: if (typeof stream == 'undefined') { L853: this.end(); L854: return; ... L1171: * @param {String} namespaces L1172: * @api private L1173: */ ... L1203: if (!r && typeof process !== 'undefined' && 'env' in process) { L1204: r = process.env.DEBUG; L1205: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L104
src/api.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lonely9206/cc-hooks@0.2.67 matchedIdentity = npm:QGxvbmVseTkyMDYvY2MtaG9va3M:0.2.67 similarity = 0.727 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/api.jsView on unpkg

Findings

1 Critical2 High3 Medium8 Low
CriticalPrevious Version Dangerous Deltasrc/api.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License