registry  /  ccc-notifier  /  0.3.0

ccc-notifier@0.3.0

Claude Code Cost notifier (now also covers Codex CLI): per-prompt cost notifications (USD/JPY) with local history and HTML dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `init` can register package-owned Stop hooks for Claude Code and optionally Codex. At hook runtime it reads local transcripts to calculate costs, persists local history, and can send a configured Slack notification containing a prompt excerpt.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ccc-notifier init`; later Claude/Codex Stop-hook execution triggers `ccc-notifier track`.
Impact
User prompts and usage metadata may be retained locally and disclosed to the user-configured Slack webhook.
Mechanism
Explicit agent hook registration with local transcript processing and optional webhook notification.
Rationale
Source shows an explicit-user-command agent hook setup and optional prompt-bearing Slack delivery, creating a real but disclosed capability risk. It is not concretely malicious because installation has no lifecycle execution, configuration is user-invoked, and no stealthy or unrelated payload behavior was found.
Evidence
package.jsondist/cli.jsdist/chunk-7KVOQ4UZ.jsdist/track-PXFSGMGL.jsdist/chunk-NV5UOHJA.jsdist/chunk-LHKBGA5K.js~/.claude/settings.json~/.codex/hooks.json~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cache/
Network endpoints4
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USDhooks.slack.com/services/...

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `init` writes Stop hooks to `~/.claude/settings.json` and optionally `~/.codex/hooks.json`.
  • The installed hook runs `track`, which reads Claude/Codex transcripts and stores cost/history data.
  • Optional Slack notification POSTs cost summary and a prompt excerpt to a user-supplied webhook.
  • Remote price and USD/JPY rate fetches occur during runtime cost calculation.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook; only `prepublishOnly`.
  • Hook and config changes are reachable only through the explicit `init` command.
  • Codex hook setup warns that platform approval is required before it runs.
  • No eval, shell-string execution, credential harvesting, stealth persistence, or destructive behavior was found.
  • Observed network endpoints are pricing/rate sources or an explicitly configured Slack webhook.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 198 KB of source, external domains: api.frankfurter.dev, hooks.slack.com, open.er-api.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/chunk-QX5KIRSU.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ccc-notifier@0.2.0 matchedIdentity = npm:Y2NjLW5vdGlmaWVy:0.2.0 similarity = 0.412 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-QX5KIRSU.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-QX5KIRSU.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings