// npm 패키지
pinclaw-cc-bridge
Pinclaw Claude Code bridge — discovers local Claude Code sessions and syncs their state to Pinclaw cloud (read-only v1).
버전
1
메인테이너
1
최초 publish
2026-06-05
publisher
shangyiyong
tarball
35,287 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-05
// exfil path
what is read → where it shipssteals
(no specific credential-read flag matched)
sends to
- ⚙ curl | bash(fetches + executes remote payload)
// offending code· @0.1.0· 1 file flagged
llm: malicious · 0.95→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
- @0.1.0··AUTO-PUBLISHED·publisher: shangyiyongheuristic 40/100static flags 1llm malicious (0.95) via fast-tracknew-publisher:0dfirst-version-of-packageai-agent-frameworkcurl-pipe-bash
→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
// offending code· 1 file flaggedpatterns: 1
--- install scripts --- ### prepublishOnly npm run build --- package/install-cc.sh (excerpt) --- #!/usr/bin/env bash # Pinclaw Claude Code bridge installer. # curl -fsSL https://pinclaw.ai/install-cc | bash # Binds this Mac to your Pinclaw account via device-code browser auth, installs # the bridge, and registers a launchd background service (auto-starts on login). set -euo pipefail API="${PINCLAW_API:-https://api.pinclaw.ai}" WS_URL="${PINCLAW_CC_URL:-wss://api.pinclaw.ai/cc-bridge/connect}" CFG_DIR="$HOME/.pinclaw" CFG="$CFG_DIR/cc-bridge.json" PLIST="$HOME/Library/LaunchAgents/ai.pinclaw.cc-bridge.plist" LABEL="ai.pinclaw.cc-bridge" echo "→ Pinclaw Claude Code bridge installer" command -v node >/dev/null 2>&1 || { echo "✗ Node.js not found. Claude Code needs Node — install it first."; exit 1; } # ── 1. device-code browser auth (reuses the agent-bus flow) ── echo "→ Requesting authorization…" START=$(curl -fsS -X POST "$API/api/v1/agent-bus/device/start") DEVICE_CODE=$(echo "$START" | node -e 'process.stdin.once("data",d=>console.log(JSON.parse(d).device_code))') VERIFY_URL=$(echo "$START" | node -e 'process.stdin.once("data",d=>console.log(JSON.parse(d).verify_url))') INTERVAL=$(echo "$START" | node -e 'process.stdin.once("data",d=>console.log(JSON.parse(d).interval||3))') echo "→ Opening your browser to authorize:" echo " $VERIFY_URL" ( command -v open >/dev/null 2>&1 && open "$VERIFY_URL" ) || echo " (open the URL above manually)" echo "→ Waiting for you to click Authorize…" TOKEN="" for _ in $(seq 1 100); do sleep "$INTERVAL" POLL=$(curl -fsS -X POS
