AI Security Review
scanned 11d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed agent-control-surface behavior exists but is package-aligned and user-invoked. No install-time hijack or concrete credential exfiltration was found.
Decision evidence
public snapshot- cli.js default run calls ensureHooks() before launching Claude
- server/lib/ensure-hooks.js writes cc-viewer-managed PreToolUse/Stop hooks into Claude settings.json
- cli.js -logger can modify shell rc files and inject cc-viewer/interceptor.js into Claude CLI
- cli.js --im starts Claude with --dangerously-skip-permissions and creates IM worker state
- server/lib/im-skills.js syncs package-provided skill files into IM_<id>/.claude/skills
- package.json has no install/postinstall/preinstall hook; prepublishOnly only builds on publish
- Claude hooks are guarded by CCVIEWER_PORT and marked cc-viewer-managed for cleanup
- Hook/shell/CLI injection paths are user-invoked ccv modes, not npm install-time execution
- server/proxy.js forwards to configured Anthropic-compatible API; no hardcoded exfiltration endpoint found
- server/interceptor.js masks x-api-key/authorization before writing request logs
Source & flagged code
8 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/assets/jszip.min-d8dJpMtW.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/assets/livescript-Bw1Vw7Ae.jsView on unpkg · L1Package source references weak cryptographic algorithms.
server/lib/claude-md-discovery.jsView on unpkg · L7Source writes installer persistence such as shell profile or service configuration.
server/lib/terminal-env.jsView on unpkg · L7Manifest entrypoint contains risky behavior absent from dist/build output.
server/interceptor.jsView on unpkg · L12Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
server/routes/skills.jsView on unpkg · L112A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server/routes/skills.jsView on unpkg