AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ccc-notifier init` (with `--codex` or interactive Codex confirmation); configured Stop hooks later run `track`.
Impact
Modifies AI-agent hook configuration and processes prompt/transcript data; a user-supplied Slack webhook can receive configured prompt excerpts.
Mechanism
Explicit AI-agent hook registration plus local transcript collection and optional Slack notification.
Rationale
This is not concrete malicious behavior, but it has real explicit-user-command AI-agent configuration mutation and prompt-processing capability. Flag as warn so the extension setup receives review rather than being silently trusted.
Evidence
package.jsondist/cli.jsdist/chunk-5LHZOZZO.jsdist/chunk-26CISNOE.jsdist/chunk-NV5UOHJA.jsdist/chunk-LHKBGA5K.js~/.claude/settings.json~/.claude/projects~/.codex/hooks.json~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cursors.json
Network endpoints3
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USD
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/chunk-5LHZOZZO.js` user-invoked `init` writes Claude Stop-hook configuration.
- Optional `--codex`/confirmed setup edits `~/.codex/hooks.json` to run `ccc-notifier track --codex`.
- Hooked runtime reads Claude project transcripts and stores prompt/cost history locally.
- Configured Slack webhook posts notification payloads containing prompt text.
Evidence against
- `package.json` has only `prepublishOnly`; no npm install lifecycle hook.
- Agent-hook mutation occurs only through explicit `init`, with interactive confirmation for Codex.
- Remote fetches are fixed price/FX endpoints; no remote code loading or eval found.
- Process spawning is limited to OS notifications, browser opening, and `wslpath`.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/chunk-2VPBBIDW.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = ccc-notifier@0.3.0
matchedIdentity = npm:Y2NjLW5vdGlmaWVy:0.3.0
similarity = 0.667
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-2VPBBIDW.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-2VPBBIDW.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings