registry  /  @seemseam/ccb  /  8.0.8

@seemseam/ccb@8.0.8

Visible, controllable multi-agent CLI workspace for Codex, Claude, Gemini, Kimi, MiMo, Qwen, Cursor, Copilot, Crush, Kiro, Pi, Z.ai, OpenCode, Antigravity, and Droid.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a binary-wrapper CLI that fetches a platform release artifact at install/runtime and verifies it with a downloaded checksum file.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or running ccb/ask/autonew/ctx-transfer
Impact
Installs and runs vendored CCB CLI binary from package-local .ccb-release; risk is ordinary binary-distribution trust rather than source-confirmed malware.
Mechanism
package-aligned release download, checksum validation, local extraction, then wrapper execution
Rationale
Static inspection found a postinstall binary downloader, but it is package-aligned, checksum-verified, and limited to package-local installation paths. No source evidence of credential theft, covert exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/ccb-npm-install.jsbin/ccb-npm-runner.jsbin/ccb.jsbin/ask.jsbin/autonew.jsbin/ctx-transfer.jsREADME.md.ccb-releaseos.tmpdir()/ccb-npm-*
Network endpoints1
github.com/SeemSeam/claude_codex_bridge/releases/download/v8.0.8

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall executing bin/ccb-npm-install.js
  • bin/ccb-npm-install.js downloads release tarball and SHA256SUMS during install
  • bin/ccb-npm-install.js allows CCB_NPM_RELEASE_BASE_URL override, expanding supply-chain trust if set
Evidence against
  • Download host defaults to package-aligned GitHub release URL for SeemSeam/claude_codex_bridge
  • Downloaded archive is checked against SHA256SUMS before extraction
  • Postinstall writes only package-local .ccb-release and temp ccb-npm-* paths
  • bin entrypoints only call ccb-npm-runner.js, which installs then execs the vendored command with user args
  • No credential harvesting, persistence, destructive project writes, or exfiltration endpoints found in JS sources
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 5.88 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/ccb-npm-install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/ask.jsView file
3L4: require("./ccb-npm-runner").run("ask");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ask.jsView on unpkg · L3

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirebin/ask.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License