AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package explicitly installs its own Claude Stop hook when the user runs `init`, then locally tracks usage; Slack delivery is opt-in through a supplied webhook.
Static reason
No blocking static signals were detected.
Trigger
User runs `ccc-notifier init` or the installed Stop hook invokes `ccc-notifier track`.
Impact
Writes package-owned configuration/history data and can send prompt excerpts only to a user-configured Slack webhook.
Mechanism
Claude usage tracking with optional OS/Slack notifications and pricing/FX lookups.
Rationale
Source inspection shows an explicit-user setup command that adds a package-owned Claude Stop hook and local usage tracking. Network behavior is package-aligned pricing/FX retrieval plus opt-in Slack notification; no concrete malicious chain was found.
Evidence
package.jsondist/cli.jsdist/chunk-OXMHOVUL.jsdist/track-76Q5CZM5.jsdist/chunk-4JNZ7BHO.jsdist/chunk-OEG3AVU6.js~/.claude/settings.json~/.claude/settings.json.bak-<timestamp>~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cursors.json~/.ccc-notifier/report.html
Network endpoints4
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USDhooks.slack.com/services/...
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `init` writes a marked Claude Stop hook to `~/.claude/settings.json`.
- `track` reads Claude transcript paths and records prompt/cost history locally.
- Optional Slack notification posts prompt text to a user-configured webhook.
Evidence against
- `package.json` has no install lifecycle hook; only `prepublishOnly` builds.
- Claude settings mutation occurs only through explicit `init`, not installation.
- Hook command targets this package's `dist/cli.js track` entrypoint.
- Settings edits preserve other entries and create a backup.
- Network requests are limited to pricing/FX data and configured Slack delivery.
- No remote code loading, eval, credential harvesting, or stealth persistence found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceclaude/settings.jsonView file
•Published source reference
Low
Ai Review Evidence
`init` writes a marked Claude Stop hook to `~/.claude/settings.json`.
claude/settings.jsonView on unpkgFindings
2 Medium8 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidenceclaude/settings.json
LowAi Review Evidence
LowAi Review Evidence