registry  /  claude-code-panel  /  0.13.0

claude-code-panel@0.13.0

Zero-dependency local dashboard for Claude Code: commands, skills, agents, plugins, workflows, sessions and a ccusage-accurate token usage dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Running the package starts a localhost panel and automatically persists a shell-level `claude` wrapper unless disabled. The wrapper routes future Claude Code API traffic through a localhost capture proxy, which records sensitive session content locally.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `claude-code-panel` or `node server.js`; startup calls proxy setup unless `CCP_NO_PROXY_SETUP` is set.
Impact
Future Claude Code prompts, tool definitions, responses, and thinking may be retained locally; shell startup files are modified.
Mechanism
Persistent shell wrapper plus localhost API interception and capture logging.
Rationale
The package is not malicious under the stated boundary because no install hook or concrete third-party exfiltration chain exists. It warrants a warning because ordinary runtime startup automatically creates persistent shell interception for an AI-agent client and stores captured sensitive session data.
Evidence
package.jsonserver.jsscripts/gen-demo-data.py~/.zshrc~/.zprofile~/.bashrc~/.bash_profile~/.profile~/.config/fish/config.fish~/.claude/panel-captures.jsonl~/.claude/panel-config.json
Network endpoints2
127.0.0.1:<PROXY_PORT>api.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `server.js` automatically installs a persistent `claude` shell wrapper on first panel startup.
  • The wrapper redirects Claude traffic to a local inspector proxy and persists captured prompts, tool definitions, responses, and thinking.
  • `server.js` appends captures to `~/.claude/panel-captures.jsonl`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • The proxy binds only to `127.0.0.1` and forwards requests to `api.anthropic.com`.
  • No external exfiltration endpoint, remote payload loader, eval, or destructive behavior was found.
  • Shell/profile mutation is reached only after the user runs the package entrypoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 83.5 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
server.jsView file
10*/ L11: const http = require('http'); L12: const https = require('https'); ... L17: L18: const PORT = process.env.PORT || 4321; L19: const PROXY_PORT = process.env.PROXY_PORT || Number(PORT) + 1; ... L29: if (process.env.CCP_RC_FILE) return process.env.CCP_RC_FILE.split(',').filter(Boolean); // 测试用 L30: const home = os.homedir(); L31: const targets = new Set(); ... L33: const candidates = [ L34: '.zshrc', '.zprofile', // zsh(macOS 默认) L35: '.bashrc', '.bash_profile', // bash
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

server.jsView on unpkg · L10
10Trigger-reachable chain: manifest.main -> server.js L10: */ L11: const http = require('http'); L12: const https = require('https'); ... L17: L18: const PORT = process.env.PORT || 4321; L19: const PROXY_PORT = process.env.PROXY_PORT || Number(PORT) + 1; ... L29: if (process.env.CCP_RC_FILE) return process.env.CCP_RC_FILE.split(',').filter(Boolean); // 测试用 L30: const home = os.homedir(); L31: const targets = new Set(); ... L33: const candidates = [ L34: '.zshrc', '.zprofile', // zsh(macOS 默认) L35: '.bashrc', '.bash_profile', // bash
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg · L10
scripts/gen-demo-data.pyView file
path = scripts/gen-demo-data.py kind = build_helper sizeBytes = 19617 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/gen-demo-data.pyView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalPersistence Backdoorserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/gen-demo-data.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings