AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `init` can register package-owned Stop hooks for Claude Code and optionally Codex. At hook runtime it reads local transcripts to calculate costs, persists local history, and can send a configured Slack notification containing a prompt excerpt.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ccc-notifier init`; later Claude/Codex Stop-hook execution triggers `ccc-notifier track`.
Impact
User prompts and usage metadata may be retained locally and disclosed to the user-configured Slack webhook.
Mechanism
Explicit agent hook registration with local transcript processing and optional webhook notification.
Rationale
Source shows an explicit-user-command agent hook setup and optional prompt-bearing Slack delivery, creating a real but disclosed capability risk. It is not concretely malicious because installation has no lifecycle execution, configuration is user-invoked, and no stealthy or unrelated payload behavior was found.
Evidence
package.jsondist/cli.jsdist/chunk-7KVOQ4UZ.jsdist/track-PXFSGMGL.jsdist/chunk-NV5UOHJA.jsdist/chunk-LHKBGA5K.js~/.claude/settings.json~/.codex/hooks.json~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cache/
Network endpoints4
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USDhooks.slack.com/services/...
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `init` writes Stop hooks to `~/.claude/settings.json` and optionally `~/.codex/hooks.json`.
- The installed hook runs `track`, which reads Claude/Codex transcripts and stores cost/history data.
- Optional Slack notification POSTs cost summary and a prompt excerpt to a user-supplied webhook.
- Remote price and USD/JPY rate fetches occur during runtime cost calculation.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook; only `prepublishOnly`.
- Hook and config changes are reachable only through the explicit `init` command.
- Codex hook setup warns that platform approval is required before it runs.
- No eval, shell-string execution, credential harvesting, stealth persistence, or destructive behavior was found.
- Observed network endpoints are pricing/rate sources or an explicitly configured Slack webhook.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/chunk-QX5KIRSU.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = ccc-notifier@0.2.0
matchedIdentity = npm:Y2NjLW5vdGlmaWVy:0.2.0
similarity = 0.412
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-QX5KIRSU.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-QX5KIRSU.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings