registry  /  ccc-notifier  /  0.2.0

ccc-notifier@0.2.0

Claude Code Cost notifier: per-prompt cost notifications (USD/JPY) with local history and HTML dashboard

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package explicitly installs its own Claude Stop hook when the user runs `init`, then locally tracks usage; Slack delivery is opt-in through a supplied webhook.

Static reason
No blocking static signals were detected.
Trigger
User runs `ccc-notifier init` or the installed Stop hook invokes `ccc-notifier track`.
Impact
Writes package-owned configuration/history data and can send prompt excerpts only to a user-configured Slack webhook.
Mechanism
Claude usage tracking with optional OS/Slack notifications and pricing/FX lookups.
Rationale
Source inspection shows an explicit-user setup command that adds a package-owned Claude Stop hook and local usage tracking. Network behavior is package-aligned pricing/FX retrieval plus opt-in Slack notification; no concrete malicious chain was found.
Evidence
package.jsondist/cli.jsdist/chunk-OXMHOVUL.jsdist/track-76Q5CZM5.jsdist/chunk-4JNZ7BHO.jsdist/chunk-OEG3AVU6.js~/.claude/settings.json~/.claude/settings.json.bak-<timestamp>~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cursors.json~/.ccc-notifier/report.html
Network endpoints4
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USDhooks.slack.com/services/...

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `init` writes a marked Claude Stop hook to `~/.claude/settings.json`.
  • `track` reads Claude transcript paths and records prompt/cost history locally.
  • Optional Slack notification posts prompt text to a user-configured webhook.
Evidence against
  • `package.json` has no install lifecycle hook; only `prepublishOnly` builds.
  • Claude settings mutation occurs only through explicit `init`, not installation.
  • Hook command targets this package's `dist/cli.js track` entrypoint.
  • Settings edits preserve other entries and create a backup.
  • Network requests are limited to pricing/FX data and configured Slack delivery.
  • No remote code loading, eval, credential harvesting, or stealth persistence found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 167 KB of source, external domains: api.frankfurter.dev, hooks.slack.com, open.er-api.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

1 flagged · loading source
claude/settings.jsonView file
Published source reference
Low
Ai Review Evidence

`init` writes a marked Claude Stop hook to `~/.claude/settings.json`.

claude/settings.jsonView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidenceclaude/settings.json
LowAi Review Evidence
LowAi Review Evidence