registry  /  ccspend  /  0.1.0

ccspend@0.1.0

ccusage, but for the real money your agent spends — an agentic-payments statusline for Claude Code.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `ccspend setup`, then Claude Code invokes the configured statusline or PostToolUse hook.
Impact
Could expose users to unpinned latest agentcash code during hook refresh, but behavior is package-aligned and not lifecycle-triggered.
Mechanism
user-invoked agent hook setup plus runtime package-manager execution
Policy narrative
The package is a Claude Code statusline/payment monitor. Its setup command modifies Claude settings and installs a PostToolUse hook, but this is explicit CLI behavior and not an npm lifecycle mutation. The main unresolved risk is the hook refresh invoking `npx -y agentcash@latest`, which delegates runtime execution to an unpinned external package.
Rationale
Source inspection supports a warn-level agent integration risk rather than malware: the sensitive Claude settings mutation is explicit setup behavior and package-aligned, with no install-time execution or exfiltration. The unpinned runtime `npx` call and agent hook registration justify a warning.
Evidence
package.jsondist/cli.jsdist/commands/setup.jsdist/commands/hook.jsdist/providers/agentcash.jsdist/providers/evm.jsdist/baseWrap.jsdist/paths.jsdist/state.js~/.claude/settings.json~/.claude/settings.json.pre-ccspend.bak~/.ccspend/config.json~/.ccspend/feed.jsonl~/.ccspend/balance.json~/.ccspend/.refresh.lock~/.ccspend/sessions/<sessionId>.json
Network endpoints1
mainnet.base.org

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/setup.js user-invoked `setup` writes Claude Code settings and adds a PostToolUse hook for `mcp__agentcash__.*`.
  • dist/providers/agentcash.js hook refresh runs `npx -y agentcash@latest accounts --format json`, pulling latest runtime code.
  • dist/baseWrap.js can run a user-configured base statusline through `bash -c`.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • dist/cli.js only dispatches explicit `statusline`, `hook`, or `setup` commands.
  • dist/hookParse.js records agentcash payment metadata from Claude hook stdin; no credential harvesting found.
  • dist/providers/evm.js performs read-only JSON-RPC `eth_call` to configured/public RPC endpoints.
  • No hidden eval/vm/native binary loading, destructive actions, persistence daemons, or exfiltration endpoints found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 28.2 KB of source, external domains: mainnet.base.org

Source & flagged code

2 flagged · loading source
dist/providers/agentcash.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { parseAgentcashBalances } from './agentcashParse.js';
High
Child Process

Package source references child process execution.

dist/providers/agentcash.jsView on unpkg · L1
8async getBalances() { L9: const raw = execFileSync('npx', ['-y', 'agentcash@latest', 'accounts', '--format', 'json'], { encoding: 'utf8', timeout: 30_000 }); L10: return parseAgentcashBalances(raw);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/providers/agentcash.jsView on unpkg · L8

Findings

3 High2 Medium3 Low
HighChild Processdist/providers/agentcash.js
HighShell
HighRuntime Package Installdist/providers/agentcash.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings