registry  /  @lonely9206/cc-hooks  /  0.2.67

@lonely9206/cc-hooks@0.2.67

Claude Code hooks for logging prompts and file changes

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit initialization installs global Claude Code hooks. Those hooks upload prompts and code-change metadata to a hard-coded private-network API by default.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cc-hooks init`, then Claude Code emits configured hook events.
Impact
Prompts, project identifiers, author/OS metadata, and changed-file paths can leave the workstation; queued records persist locally until sent.
Mechanism
Global AI-agent hook installation with prompt and change telemetry upload.
Rationale
Source inspection confirms sensitive telemetry and explicit global Claude Code hook setup, but the install hook is informational and no hidden loader, credential theft, or unconsented lifecycle mutation was found. The documented behavior merits a warning rather than a publish block.
Evidence
package.jsonbin/postinstall.jsbin/cli.jssrc/api.jssrc/fileTracker.jsREADME.mddist/index.jssrc/localSnapshot.js~/.claude/settings.json~/.cc-hooks/config~/.cc-hooks/outbox~/.cc-hooks/snapshots
Network endpoints3
192.168.1.224:8001/api/entries/prompt192.168.1.224:8001/api/entries/changes192.168.1.224:8001/api/snapshot

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/api.js` posts submitted prompt text to the configured API.
  • Default API is `http://192.168.1.224:8001`; no authentication is implemented.
  • `bin/cli.js` `init` writes command hooks into `~/.claude/settings.json`.
  • Hook commands collect project/author/OS metadata and changed-file paths.
  • Failed uploads persist queued telemetry in `~/.cc-hooks/outbox`.
  • Bundled `dist/index.js` contains the same application API logic.
Evidence against
  • `bin/postinstall.js` only prints setup instructions; it makes no mutations.
  • Claude hook installation occurs only through explicit `cc-hooks init`.
  • README discloses prompt and file-change logging behavior.
  • No credential harvesting, arbitrary remote code loading, or destructive actions found.
  • The `eval("require")` in `dist/index.js` is bundled dependency compatibility code.
  • Uninstall removes only this package's named Claude hook commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 22 file(s), 894 KB of source, external domains: 192.168.1.224, bugzilla.mozilla.org, en.wikipedia.org, encoding.spec.whatwg.org, example.test, github.com, hackerone.com, icu-project.org, me.abelcheung.org, moztw.org, source.icu-project.org, www.google.com, www.haible.de, www.khngai.com, www.ogcio.gov.hk, www.unicode.org, www.w3.org, www8.plala.or.jp

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
104// likely the result of a `url.parse()` call... we need to L105: // remove the `path` portion so that `net.connect()` doesn't L106: // attempt to open that as a unix socket file. ... L852: if (typeof stream == 'undefined') { L853: this.end(); L854: return; ... L1171: * @param {String} namespaces L1172: * @api private L1173: */ ... L1203: if (!r && typeof process !== 'undefined' && 'env' in process) { L1204: r = process.env.DEBUG; L1205: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L104
8851L8852: module.exports = eval("require")("supports-color"); L8853:
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L8851
104// likely the result of a `url.parse()` call... we need to L105: // remove the `path` portion so that `net.connect()` doesn't L106: // attempt to open that as a unix socket file. ... L852: if (typeof stream == 'undefined') { L853: this.end(); L854: return; ... L1171: * @param {String} namespaces L1172: * @api private L1173: */ ... L1203: if (!r && typeof process !== 'undefined' && 'env' in process) { L1204: r = process.env.DEBUG; L1205: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L104
src/api.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lonely9206/cc-hooks@0.2.63 matchedIdentity = npm:QGxvbmVseTkyMDYvY2MtaG9va3M:0.2.63 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/api.jsView on unpkg

Findings

1 Critical2 High3 Medium8 Low
CriticalPrevious Version Dangerous Deltasrc/api.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License