registry  /  @seemseam/ccb  /  8.0.15

@seemseam/ccb@8.0.15

Visible, controllable multi-agent CLI workspace for Codex, Claude, Gemini, Kimi, MiMo, Qwen, Cursor, Copilot, Crush, Kiro, Pi, Z.ai, OpenCode, Antigravity, and Droid.

AI Security Review

scanned 7h ago · by lpm-firewall-ai

The package is a thin npm wrapper that installs a release binary at npm install time. No malicious JS behavior is confirmed, but the actual installed executable is fetched from a remote release artifact not present in the package source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; later user-invoked bin commands
Impact
Remote native executable becomes available through package bin wrappers; behavior of that binary is not inspectable from this npm source package.
Mechanism
install-time remote binary download and extraction
Attack narrative
On install, the postinstall script selects a platform tarball, downloads it plus SHA256SUMS from the project GitHub release URL or an environment-provided base URL, verifies the archive checksum from that same release source, removes any existing package-local .ccb-release directory, and extracts the archive. CLI entrypoints later call the installed executable via a runner.
Rationale
Static inspection finds an install-time remote binary installer, which is risky for firewall policy because the executable payload is outside the npm source, but the visible JS does not show exfiltration, persistence, destructive behavior, or unconsented foreign AI-agent control-surface mutation. Mark as warn/suspicious rather than block.
Evidence
package.jsonbin/ccb-npm-install.jsbin/ccb-npm-runner.jsbin/ccb.jsbin/ask.jsbin/autonew.jsbin/ctx-transfer.js.ccb-releaseos.tmpdir()/ccb-npm-*
Network endpoints1
github.com/SeemSeam/claude_codex_bridge/releases/download/v8.0.15

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with low false-positive risk.
Evidence for warning
  • package.json defines postinstall: node bin/ccb-npm-install.js
  • bin/ccb-npm-install.js downloads platform tarball and SHA256SUMS from GitHub releases during install
  • CCB_NPM_RELEASE_BASE_URL can redirect installer downloads to an arbitrary base URL
  • install script extracts downloaded archive into package-local .ccb-release
Evidence against
  • Downloaded archive is checked against SHA256SUMS before extraction
  • bin/ask.js, bin/ccb.js, bin/autonew.js, and bin/ctx-transfer.js only invoke the shared runner
  • No source-level credential harvesting, home-directory agent config writes, persistence hooks, or exfiltration code found
  • Network endpoint is package-aligned with declared GitHub repository/releases
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 5.88 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/ccb-npm-install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/ask.jsView file
3L4: require("./ccb-npm-runner").run("ask");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ask.jsView on unpkg · L3

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirebin/ask.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License