AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `ccspend setup`, then Claude Code invokes the configured statusline or PostToolUse hook.
Impact
Could expose users to unpinned latest agentcash code during hook refresh, but behavior is package-aligned and not lifecycle-triggered.
Mechanism
user-invoked agent hook setup plus runtime package-manager execution
Policy narrative
The package is a Claude Code statusline/payment monitor. Its setup command modifies Claude settings and installs a PostToolUse hook, but this is explicit CLI behavior and not an npm lifecycle mutation. The main unresolved risk is the hook refresh invoking `npx -y agentcash@latest`, which delegates runtime execution to an unpinned external package.
Rationale
Source inspection supports a warn-level agent integration risk rather than malware: the sensitive Claude settings mutation is explicit setup behavior and package-aligned, with no install-time execution or exfiltration. The unpinned runtime `npx` call and agent hook registration justify a warning.
Evidence
package.jsondist/cli.jsdist/commands/setup.jsdist/commands/hook.jsdist/providers/agentcash.jsdist/providers/evm.jsdist/baseWrap.jsdist/paths.jsdist/state.js~/.claude/settings.json~/.claude/settings.json.pre-ccspend.bak~/.ccspend/config.json~/.ccspend/feed.jsonl~/.ccspend/balance.json~/.ccspend/.refresh.lock~/.ccspend/sessions/<sessionId>.json
Network endpoints1
mainnet.base.org
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/commands/setup.js user-invoked `setup` writes Claude Code settings and adds a PostToolUse hook for `mcp__agentcash__.*`.
- dist/providers/agentcash.js hook refresh runs `npx -y agentcash@latest accounts --format json`, pulling latest runtime code.
- dist/baseWrap.js can run a user-configured base statusline through `bash -c`.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- dist/cli.js only dispatches explicit `statusline`, `hook`, or `setup` commands.
- dist/hookParse.js records agentcash payment metadata from Claude hook stdin; no credential harvesting found.
- dist/providers/evm.js performs read-only JSON-RPC `eth_call` to configured/public RPC endpoints.
- No hidden eval/vm/native binary loading, destructive actions, persistence daemons, or exfiltration endpoints found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/providers/agentcash.jsView file
1import { execFileSync } from 'node:child_process';
L2: import { parseAgentcashBalances } from './agentcashParse.js';
High
Child Process
Package source references child process execution.
dist/providers/agentcash.jsView on unpkg · L18async getBalances() {
L9: const raw = execFileSync('npx', ['-y', 'agentcash@latest', 'accounts', '--format', 'json'], { encoding: 'utf8', timeout: 30_000 });
L10: return parseAgentcashBalances(raw);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/providers/agentcash.jsView on unpkg · L8Findings
3 High2 Medium3 Low
HighChild Processdist/providers/agentcash.js
HighShell
HighRuntime Package Installdist/providers/agentcash.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings