registry  /  claude-occ  /  1.0.0

claude-occ@1.0.0

occ gateway proxy for Claude Code

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has an install-time native binary bootstrapper. This is not confirmed malicious, but it creates unresolved supply-chain risk because npm install can fetch and execute-package an external release asset.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then user invokes occ or claude-occ
Impact
Downloaded native binary runs with the user's privileges when the CLI is invoked; install fetch source can be altered with CLAUDE_OCC_RELEASE_REPO.
Mechanism
install-time remote binary download and CLI wrapper execution
Rationale
Static inspection shows a disclosed package-owned CLI bootstrapper, not concrete malware, but install-time remote native binary retrieval is a real unresolved risk. Because no credential theft, destructive action, persistence, or AI-agent control-surface mutation was found in the package source, this should warn rather than block.
Evidence
package.jsonbin/postinstall.jsbin/occ.jsREADME.mdbin/occbin/occ.exe../../target/release/occ../../target/release/occ.exe
Network endpoints2
github.com/flyingsquirrel0419/claude-occ/releases/download/v1.0.0/occ-<arch>-<platform>github.com/${CLAUDE_OCC_RELEASE_REPO}/releases/download/v1.0.0/occ-<arch>-<platform>

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./bin/postinstall.js
  • bin/postinstall.js downloads a platform executable from GitHub releases when local target/release binary is absent
  • bin/postinstall.js allows CLAUDE_OCC_RELEASE_REPO to change the GitHub owner/repo used for the install-time binary download
  • bin/postinstall.js follows redirects and writes the downloaded bytes to bin/occ or bin/occ.exe, then chmods executable
  • bin/occ.js executes the installed native binary with user-supplied CLI args via spawnSync
Evidence against
  • No credential harvesting, filesystem scanning, destructive behavior, persistence, or exfiltration found in inspected JS files
  • Network use is package-aligned for downloading a versioned release asset from the declared GitHub project by default
  • README discloses the package installs an occ launcher and acts as a local Claude Code gateway proxy
  • No AI-agent configuration files are written by the npm postinstall script
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.83 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings