registry  /  ccc-notifier  /  0.6.0

ccc-notifier@0.6.0

Claude Code Cost notifier (now also covers Codex CLI): per-prompt cost notifications (USD/JPY) with local history and HTML dashboard

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked cost notifier that can install its own hooks and optionally send notifications to a user-supplied Slack webhook.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `ccc-notifier init` or configured Claude/Codex hook execution.
Impact
Reads local Claude/Codex usage data; optional Slack notification may include configured prompt content.
Mechanism
Local transcript accounting, notifications, and first-party hook registration.
Rationale
Source inspection shows explicit, package-aligned notifier setup rather than unconsented install-time mutation or a concrete malicious chain. Network use is limited to exchange-rate retrieval and an optional user-configured Slack webhook.
Evidence
package.jsondist/cli.jsdist/chunk-CH34OJ7Q.jsdist/chunk-NV5UOHJA.jsdist/chunk-D4D76RGQ.jsdist/chunk-OOAC5ULQ.js~/.claude/settings.json~/.codex/hooks.json~/.ccc-notifier
Network endpoints2
api.frankfurter.dev/v1/latest?base=USD&symbols=JPYopen.er-api.com/v6/latest/USD

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/chunk-CH34OJ7Q.js` registers Claude/Codex hooks, but only via explicit `init`.
  • `dist/chunk-NV5UOHJA.js` can POST prompt text to a user-configured Slack webhook.
  • `dist/chunk-D4D76RGQ.js` fetches USD/JPY exchange rates.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/cli.js` dispatches setup, tracking, and dashboard behavior only after CLI or configured-hook invocation.
  • `dist/chunk-CH34OJ7Q.js` edits only recognized ccc-notifier hook entries and creates backups.
  • `dist/chunk-NV5UOHJA.js` sends Slack data only when a configured webhook exists; no fixed exfiltration endpoint.
  • No eval, shell execution of untrusted input, credential harvesting, or remote payload loading found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 288 KB of source, external domains: api.frankfurter.dev, open.er-api.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/chunk-4JSRGJCZ.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ccc-notifier@0.4.0 matchedIdentity = npm:Y2NjLW5vdGlmaWVy:0.4.0 similarity = 0.350 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-4JSRGJCZ.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-4JSRGJCZ.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings