registry  /  ccc-notifier  /  0.4.0

ccc-notifier@0.4.0

Claude Code Cost notifier (now also covers Codex CLI): per-prompt cost notifications (USD/JPY) with local history and HTML dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ccc-notifier init` (with `--codex` or interactive Codex confirmation); configured Stop hooks later run `track`.
Impact
Modifies AI-agent hook configuration and processes prompt/transcript data; a user-supplied Slack webhook can receive configured prompt excerpts.
Mechanism
Explicit AI-agent hook registration plus local transcript collection and optional Slack notification.
Rationale
This is not concrete malicious behavior, but it has real explicit-user-command AI-agent configuration mutation and prompt-processing capability. Flag as warn so the extension setup receives review rather than being silently trusted.
Evidence
package.jsondist/cli.jsdist/chunk-5LHZOZZO.jsdist/chunk-26CISNOE.jsdist/chunk-NV5UOHJA.jsdist/chunk-LHKBGA5K.js~/.claude/settings.json~/.claude/projects~/.codex/hooks.json~/.ccc-notifier/config.json~/.ccc-notifier/history.jsonl~/.ccc-notifier/cursors.json
Network endpoints3
raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.jsonapi.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USD

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-5LHZOZZO.js` user-invoked `init` writes Claude Stop-hook configuration.
  • Optional `--codex`/confirmed setup edits `~/.codex/hooks.json` to run `ccc-notifier track --codex`.
  • Hooked runtime reads Claude project transcripts and stores prompt/cost history locally.
  • Configured Slack webhook posts notification payloads containing prompt text.
Evidence against
  • `package.json` has only `prepublishOnly`; no npm install lifecycle hook.
  • Agent-hook mutation occurs only through explicit `init`, with interactive confirmation for Codex.
  • Remote fetches are fixed price/FX endpoints; no remote code loading or eval found.
  • Process spawning is limited to OS notifications, browser opening, and `wslpath`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 220 KB of source, external domains: api.frankfurter.dev, hooks.slack.com, open.er-api.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/chunk-2VPBBIDW.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ccc-notifier@0.3.0 matchedIdentity = npm:Y2NjLW5vdGlmaWVy:0.3.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-2VPBBIDW.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-2VPBBIDW.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings