registry  /  codecc-cli  /  0.1.2

codecc-cli@0.1.2

codecc 客户端:device-code 授权(loopback 回调 + 轮询 fallback)+ 私有 Claude Code 套壳

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 2.70 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
bin/codecc.jsView file
4下载 @codecc-cli/<platform> 平台包,解出二进制缓存后 exec。 */ L5: const { spawnSync } = require('node:child_process') L6: const fs = require('node:fs')
High
Child Process

Package source references child process execution.

bin/codecc.jsView on unpkg · L4
4下载 @codecc-cli/<platform> 平台包,解出二进制缓存后 exec。 */ L5: const { spawnSync } = require('node:child_process') L6: const fs = require('node:fs') ... L11: const SCOPE = '@codecc-cli' L12: const REGISTRY = (process.env.CODECC_NPM_REGISTRY || 'https://registry.npmjs.org').replace(/\/$/, '') L13:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/codecc.jsView on unpkg · L4
4下载 @codecc-cli/<platform> 平台包,解出二进制缓存后 exec。 */ L5: const { spawnSync } = require('node:child_process') L6: const fs = require('node:fs') ... L11: const SCOPE = '@codecc-cli' L12: const REGISTRY = (process.env.CODECC_NPM_REGISTRY || 'https://registry.npmjs.org').replace(/\/$/, '') L13: L14: function isMusl() { L15: if (process.platform !== 'linux') return false L16: try { return !process.report.getReport().header.glibcVersionRuntime } catch { return true } ... L30: const binName = process.platform === 'win32' ? 'codecc.exe' : 'codecc' L31: const home = process.env.CODECC_HOME || path.join(os.homedir(), '.codecc') L32: const dir = path.join(home, 'npm-bin', VERSION + '-' + name)
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/codecc.jsView on unpkg · L4

Findings

3 High3 Medium4 Low
HighChild Processbin/codecc.js
HighSame File Env Network Executionbin/codecc.js
HighSandbox Evasion Gated Capabilitybin/codecc.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License