AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has guarded install-time system setup that can install OS packages and modify the user's shell rc file. This is package-aligned but still a lifecycle mutation of shell startup state.
Static reason
One or more suspicious static signals were detected.
Trigger
global npm install or explicit cc-setup
Impact
May alter shell startup behavior and install fzf/zoxide without a separate prompt during global install; no confirmed data theft or AI-agent hijack.
Mechanism
postinstall dependency installation and shell rc hook insertion
Attack narrative
On global install, postinstall runs lib/setup.js, detects missing fzf/zoxide, may invoke a system package manager, then writes a marked zoxide init block to the user's shell rc file. The CLI later uses zoxide/fzf to choose a directory and starts the local claude command there. I found no network exfiltration, credential collection, remote code loading, or unconsented writes into Claude/Codex/MCP control surfaces.
Rationale
This is not malicious under the AI-agent control-surface policy because it does not plant instructions or register tools in a foreign agent surface, and the shell hook is package-aligned and guarded to global/explicit setup. The install-time rc-file mutation and package-manager execution are real lifecycle risk, so warn rather than mark clean.
Evidence
package.jsonlib/setup.jslib/uninstall.jsbin/cc.jsbin/cc-scan.jsbin/cc-setup.jsREADME.md~/.zshrc~/.bashrc~/.profile
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall node lib/setup.js and preuninstall node lib/uninstall.js
- lib/setup.js global/forced install invokes brew/apt-get/dnf/pacman for fzf and zoxide
- lib/setup.js writes a zoxide init block into ~/.zshrc, ~/.bashrc, or ~/.profile
- lib/uninstall.js edits the detected rc file to remove its marked block
Evidence against
- Lifecycle setup is skipped unless npm_config_global=true or CLAUDE_JUMP_FORCE_SETUP=1
- No fetch/http client, credential harvesting, or exfiltration endpoints found by source grep
- bin/cc.js only invokes zoxide/fzf and launches claude in a selected directory
- bin/cc-scan.js is user-invoked and only finds .git directories to add parent paths to zoxide
- No writes to Claude/Codex/MCP settings or other AI-agent control surfaces found
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node lib/setup.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkglib/setup.jsView file
3L4: const { spawnSync } = require('child_process');
L5: const fs = require('fs');
...
L45: console.log(' Please install manually, then re-run: cc-setup');
L46: console.log(' fzf: https://github.com/junegunn/fzf#installation');
L47: console.log(' zoxide: https://github.com/ajeetdsouza/zoxide#installation');
...
L51: function detectShellName() {
L52: return path.basename(process.env.SHELL || 'bash');
L53: }
...
L55: function detectRcFile() {
L56: const home = os.homedir();
L57: switch (detectShellName()) {
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
lib/setup.jsView on unpkg · L3Findings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumInstall Persistencelib/setup.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings