registry  /  tweakcc-fixed  /  2.6.4

tweakcc-fixed@2.6.4

⚠ Under review

Maintained fork of tweakcc — patch an installed Claude Code (npm or native binary) with curated system-prompt overrides, system-reminder overrides, and fork-only patches. Pairs with skrabe/lobotomized-claude-code.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 504 KB of source, external domains: example.com, github.com, piebald.ai, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
dist/config-Dd0mwDex.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = tweakcc-fixed@2.5.4 matchedIdentity = npm:dHdlYWtjYy1maXhlZA:2.5.4 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/config-Dd0mwDex.mjsView on unpkg
1import{createRequire as e}from"node:module";import t from"chalk";import*as n from"node:os";import r,{EOL as i}from"node:os";import*as a from"node:fs/promises";import o from"node:fs... L2:
High
Child Process

Package source references child process execution.

dist/config-Dd0mwDex.mjsView on unpkg · L1
1import{createRequire as e}from"node:module";import t from"chalk";import*as n from"node:os";import r,{EOL as i}from"node:os";import*as a from"node:fs/promises";import o from"node:fs... L2: ... L15: # summary L16: Output an updated running summary - a terse TL;DR of the session in the fewest words that still capture what was done and how hard it has been. Fold the most recent exchange into t... L17: `)}]})`,p=c;c=c.slice(0,t.index)+f+c.slice(t.index+t[0].length),I(p,c,f,t.index,t.index+f.length)}else{let t=Ge(c);if(!t)console.log(`patch: patchesAppliedIndication: patch 3 skipp... L18: `);t.startIndex>0&&c[t.startIndex-1]===`,`&&i.startsWith(`,`)&&(i=i.slice(1)),i.endsWith(`,`)&&c[t.startIndex]===`,`&&(i=i.slice(0,-1));let a=c;c=c.slice(0,t.startIndex)+i+c.slice(... L19: {{context_blocks}} ... L54: L55: IMPORTANT: After completing your current task, you MUST address the user's message above. Do not ignore it.`,apply(e,t,n){return M(e,/((?:case"auto-continuation":)?case"human":case... L56: `).length-1),{name:n||``,description:r||``,ccVersion:i||``,variables:a||[],content:t.content,contentLineOffset:o}},Dt=(e,t,n)=>{let r=t||N(e.pieces,e.identifiers,e.identifierMap),i... ... L600:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/config-Dd0mwDex.mjsView on unpkg · L1
dist/index.mjsView file
21const vars = ${JSON.stringify(n)}; L22: process.env = {}; L23: const fn = new Function('js', 'vars', ${JSON.stringify(e)}); L24: const result = await fn(input, vars); ... L30: }); L31: `;if(r)return Pn([],i,t);try{return await Pn([`--permission`],i,t)}catch(e){if(!Mn(e))throw e}try{return await Pn([`--experimental-permission`],i,t)}catch(e){if(Mn(e)){let e=Nn();t... L32: Patches applied (run with --show-unchanged to show all patches):`);for(let e of n){let n=r.get(e).filter(e=>e.applied||e.failed||_()||t&&t.includes(e.id));if(n.length!==0){console....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L21
1#!/usr/bin/env node L2: import{$ as e,B as t,D as n,E as r,F as i,G as a,H as o,I as s,K as c,L as l,M as u,N as d,O as f,P as p,Q as m,R as h,S as g,T as _,U as v,V as y,W as b,X as x,Z as S,_ as C,a as ... L3: `+t.out.slice(-600)),n(`error`);return}u(`Installing (registers with every Chromium browser, MCP, skill, disables Claude in Chrome)…`);let r=[Ut,`install`,`--scope`,e];e===`project... ... L10: Please reapply your changes by running \`${n} --apply\`.`,type:`warning`}),d(()=>{}))},[]),B((e,t)=>{t.ctrl&&e===`c`&&process.exit(0),(e===`q`||t.escape)&&!p&&process.exit(0),e===`... L11: `).length,timings:{formatMs:l-o,diffMs:d-l,totalMs:d-o}}}function Dn(e,t=!0){return new Promise(n=>{let r=!1,i=e=>{r||(r=!0,a.close(),n(e))},a=Be.createInterface({input:process.std... L12: ⚠ The patched code failed to parse, but the original parsed cleanly —
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.mjsView on unpkg · L1
22process.env = {}; L23: const fn = new Function('js', 'vars', ${JSON.stringify(e)}); L24: const result = await fn(input, vars);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.mjsView on unpkg · L22

Findings

1 Critical3 High2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/config-Dd0mwDex.mjs
HighChild Processdist/config-Dd0mwDex.mjs
HighSame File Env Network Executiondist/index.mjs
HighCommand Output Exfiltrationdist/index.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.mjs
LowWeak Cryptodist/config-Dd0mwDex.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings