registry  /  tweakcc-fixed  /  2.5.3

tweakcc-fixed@2.5.3

Maintained fork of tweakcc — patch an installed Claude Code (npm or native binary) with curated system-prompt overrides, system-reminder overrides, and fork-only patches. Pairs with skrabe/lobotomized-claude-code.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 493 KB of source, external domains: example.com, github.com, piebald.ai, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
dist/config-BfUx7VQX.mjsView file
1import{createRequire as e}from"node:module";import t from"chalk";import*as n from"node:os";import r,{EOL as i}from"node:os";import*as a from"node:fs/promises";import o from"node:fs... L2:
High
Child Process

Package source references child process execution.

dist/config-BfUx7VQX.mjsView on unpkg · L1
1import{createRequire as e}from"node:module";import t from"chalk";import*as n from"node:os";import r,{EOL as i}from"node:os";import*as a from"node:fs/promises";import o from"node:fs... L2: ... L15: # summary L16: Output an updated running summary - a terse TL;DR of the session in the fewest words that still capture what was done and how hard it has been. Fold the most recent exchange into t... L17: `)}]})`,p=c;c=c.slice(0,t.index)+f+c.slice(t.index+t[0].length),L(p,c,f,t.index,t.index+f.length)}else{let t=Ge(c);if(!t)console.log(`patch: patchesAppliedIndication: patch 3 skipp... L18: `);t.startIndex>0&&c[t.startIndex-1]===`,`&&i.startsWith(`,`)&&(i=i.slice(1)),i.endsWith(`,`)&&c[t.startIndex]===`,`&&(i=i.slice(0,-1));let a=c;c=c.slice(0,t.startIndex)+i+c.slice(... L19: {{context_blocks}} ... L54: L55: IMPORTANT: After completing your current task, you MUST address the user's message above. Do not ignore it.`,apply(e,t,n){return M(e,/((?:case"auto-continuation":)?case"human":case... L56: `).length-1),{name:n||``,description:r||``,ccVersion:i||``,variables:a||[],content:t.content,contentLineOffset:o}},Et=(e,t,n)=>{let r=t||P(e.pieces,e.identifiers,e.identifierMap),i... ... L600:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/config-BfUx7VQX.mjsView on unpkg · L1
dist/index.mjsView file
1#!/usr/bin/env node L2: import{$ as e,B as t,D as n,E as r,F as i,G as a,H as o,I as s,K as c,L as l,M as u,N as d,O as f,P as p,Q as m,R as h,S as g,T as _,U as v,V as y,W as b,X as x,Z as S,_ as C,a as ... L3: (However, your customization are still remembered in ${N}.) ... L16: const vars = ${JSON.stringify(n)}; L17: process.env = {}; L18: const fn = new Function('js', 'vars', ${JSON.stringify(e)});
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import{$ as e,B as t,D as n,E as r,F as i,G as a,H as o,I as s,K as c,L as l,M as u,N as d,O as f,P as p,Q as m,R as h,S as g,T as _,U as v,V as y,W as b,X as x,Z as S,_ as C,a as ... L3: (However, your customization are still remembered in ${N}.) ... L5: Please reapply your changes by running \`${n} --apply\`.`,type:`warning`}),d(()=>{}))},[]),H((e,t)=>{t.ctrl&&e===`c`&&process.exit(0),(e===`q`||t.escape)&&!p&&process.exit(0),e===`... L6: `).length,timings:{formatMs:l-o,diffMs:d-l,totalMs:d-o}}}function pn(e,t=!0){return new Promise(n=>{let r=!1,i=e=>{r||(r=!0,a.close(),n(e))},a=ze.createInterface({input:process.std... L7: ⚠ The patched code failed to parse, but the original parsed cleanly —
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.mjsView on unpkg · L1
17process.env = {}; L18: const fn = new Function('js', 'vars', ${JSON.stringify(e)}); L19: const result = await fn(input, vars);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.mjsView on unpkg · L17

Findings

3 High2 Medium6 Low
HighChild Processdist/config-BfUx7VQX.mjs
HighSame File Env Network Executiondist/index.mjs
HighCommand Output Exfiltrationdist/index.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.mjs
LowWeak Cryptodist/config-BfUx7VQX.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings