AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `tcc init` or uses the `tcc` CLI/hook commands.
Impact
User-approved hook installation can rewrite agent Bash commands to token-saving `tcc` equivalents; no confirmed malicious payload or install-time compromise found.
Mechanism
explicit user-command AI-agent hook setup and local command proxying
Rationale
Static source inspection finds a legitimate command-output filtering CLI with explicit AI-agent hook setup, not an npm install-time hijack or exfiltration package. Because agent control-surface mutation exists only through user-invoked setup and no concrete attack behavior was found, this should be a warning-level capability risk rather than a publish block.
Evidence
package.jsoninstall.shclaude/tcc-rewrite.shsrc/hooks/init.rssrc/hooks/rewrite_cmd.rssrc/core/runner.rssrc/core/telemetry.rs~/.claude/settings.json~/.claude/hooks/rtk-rewrite.sh~/.config/rtk/filters.toml~/.local/share/rtk/tracking.db
Decision evidence
public snapshotAI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/hooks/init.rs implements explicit `tcc init` flows that patch AI-agent config such as Claude/Codex/Cursor settings.
- claude/tcc-rewrite.sh is a Claude PreToolUse hook that rewrites Bash commands through `tcc rewrite` and can set `permissionDecision: allow` for allowed rewrites.
- src/core/runner.rs and command modules execute user-requested wrapped commands via std::process::Command.
- src/core/telemetry.rs contains optional telemetry code, but it is gated by compile-time URL plus explicit consent and disabled by init in this build.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Agent hook/config mutation is activated by explicit user commands such as `tcc init`, not npm install or import-time execution.
- src/hooks/rewrite_cmd.rs checks deny/ask/default permission verdicts before rewrite and maps default to prompt, not auto-allow.
- No credential harvesting, destructive behavior, remote payload loading, or hardcoded exfiltration endpoint found in inspected source.
- install.sh only builds/installs the local Rust binary via cargo when manually run.
- package.json bin points to missing ./bin/index.js while native optional packages are declared, but this is packaging quality rather than malicious behavior.
Behavioral surface
Source & flagged code
1 flagged · loading sourceclaude/tcc-rewrite.shView file
•path = claude/tcc-rewrite.sh
kind = build_helper
sizeBytes = 3285
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
claude/tcc-rewrite.shView on unpkgFindings
1 Medium
MediumShips Build Helperclaude/tcc-rewrite.sh