registry  /  cc-viewer  /  1.6.345

cc-viewer@1.6.345

⚠ Under review

Claude Code logging, visualization, and management toolkit — launch a web viewer alongside Claude Code with full request/response tracing, proxy, and mobile support

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 294 file(s), 13.0 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.dingtalk.com, bellard.org, cdn.discordapp.com, cdn.example.com, chevrotain.io, claude.ai, discord.com, en.wikipedia.org, fb.me, github.com, ipapi.co, ipinfo.io, ipwho.is, lexical.dev, open.feishu.cn, open.larksuite.com, radix-ui.com, reactjs.org, registry.npmjs.org, stuk.github.io, www.w3.org

Source & flagged code

9 flagged · loading source
dist/assets/jszip.min-BdVFP3OW.jsView file
11https://github.[redacted] L12: */var jszip_minExports=(hasRequiredJszip_min||(hasRequiredJszip_min=1,jszip_min$2.exports=function s(a,o,h){function u(r,e2){if(!o[r]){if(!a[r]){if(!e2&&commonjsRequire)return comm...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/jszip.min-BdVFP3OW.jsView on unpkg · L11
dist/assets/livescript-Bw1Vw7Ae.jsView file
1var tokenBase=function(stream,state){var next_rule=state.next||"start";state.next=state.next;var nr=Rules[next_rule];if(nr.splice){for(var i$=0;i$<nr.length;++i$){var r=nr[i$];if(r...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/livescript-Bw1Vw7Ae.jsView on unpkg · L1
server/lib/claude-md-discovery.jsView file
7* - 项目候选:从 cwd 实际路径(realpath 后)向上走,每层若 <dir>/CLAUDE.md 存在且为文件,收一条。 L8: * 终止条件:dir === dirname(dir)(fs root) / dir === homedir() / <dir>/.git 存在 / depth 达 8(任一即停)。 L9: * 三种终止条件(homedir / .git / fs root)都先收当前层再停——pushIfFile 在终止判定之前无条件执行。 ... L75: // ── 项目链遍历 ───────────────────────────────────────────────────────────── L76: if (process.platform !== 'win32') { L77: const startReal = safeRealpath(cwd) || cwd; ... L170: tail: entry.tail, L171: content: buf.toString('utf-8'), L172: real,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

server/lib/claude-md-discovery.jsView on unpkg · L7
server/lib/terminal-env.jsView file
7L8: function shouldKeepClaudeNoFlicker(env = {}, sourceEnv = process.env) { L9: return env[KEEP_CLAUDE_NO_FLICKER_ENV] === '1' || sourceEnv?.[KEEP_CLAUDE_NO_FLICKER_ENV] === '1'; ... L53: * Claude spawns, but not for scratch/fallback shells: users often export the L54: * variable from ~/.zshrc or ~/.bashrc, so the shell would recreate it before L55: * they type `claude`. For those shells we install a tiny rc wrapper that loads ... L64: const shellBase = basename(shell); L65: const homeDir = options.homeDir || homedir(); L66: const rcDir = options.rcDir || defaultRcDir();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

server/lib/terminal-env.jsView on unpkg · L7
server/interceptor.jsView file
12Manifest entrypoint (manifest.exports) carries capability families absent from dist/build output: environment+network, execution+network, builtin-tampering L12: import { renameSyncWithRetry } from './lib/file-api.js'; L13: import http from 'node:http'; L14: import https from 'node:https'; ... L23: const __filename = fileURLToPath(import.meta.url); L24: const __dirname = dirname(__filename); L25: L26: // Live-streaming 用的端口:由 server.js 在 listen 成功后通过 setLivePort 注入。 L27: // 不用 process.env.CCVIEWER_PORT 是为了避免主进程 env 污染被 child_process.spawn L28: // 继承到 Bash 工具子进程 / MCP server / Electron tab-worker 等无关进程。 ... L96: if (existsSync(p)) { L97: const data = JSON.parse(readFileSync(p, 'utf-8')); L98: return typeof data?.activeId === 'string' ? data.activeId : null;
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server/interceptor.jsView on unpkg · L12
server/routes/skills.jsView file
112contains invisible/control Unicode U+200B (zero width space) .replace(/[<U+200B>-<U+200F><U+202A>-<U+202E><U+2060><U+FEFF>]/g, '');
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

server/routes/skills.jsView on unpkg · L112
Trigger-reachable chain: manifest.main -> server.js -> server/server.js -> server/routes/skills.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server/routes/skills.jsView on unpkg
dist/favicon.icoView file
path = dist/favicon.ico kind = high_entropy_blob sizeBytes = 19578 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/favicon.icoView on unpkg
server/pty-manager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cc-viewer@1.6.336 matchedIdentity = npm:Y2Mtdmlld2Vy:1.6.336 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/pty-manager.jsView on unpkg

Findings

3 Critical2 High6 Medium9 Low
CriticalTrojan Source Unicodeserver/routes/skills.js
CriticalTrigger Reachable Dangerous Capabilityserver/routes/skills.js
CriticalPrevious Version Dangerous Deltaserver/pty-manager.js
HighEntrypoint Build Divergenceserver/interceptor.js
HighShips High Entropy Blobdist/favicon.ico
MediumDynamic Requiredist/assets/livescript-Bw1Vw7Ae.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceserver/lib/terminal-env.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/jszip.min-BdVFP3OW.js
LowWeak Cryptoserver/lib/claude-md-discovery.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings