npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

cc-safe

v0.1.13

Published

Security scanner for Claude Code settings files

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ykdojoykdojo

Keywords

claudeclaude-codesecurityscannercli

Readme

cc-safe

Security scanner for Claude Code settings files. Recursively scans all subdirectories for dangerous patterns in your approved commands that could compromise your host machine. You can run it manually or ask Claude Code to run it with npx cc-safe .

Motivation

A user reported on Reddit that Claude Code ran rm -rf tests/ patches/ plan/ ~/ - that trailing ~/ wiped their entire home directory.

It's easy to dismiss this as a "vibe coder" mistake, but when you're approving dozens of commands across multiple projects, mistakes happen. The permission prompt becomes muscle memory, and one bad approval can be catastrophic.

cc-safe automates what's hard to do manually: scan all your approved commands across all projects and flag the dangerous ones before they cause damage.

Installation

npm install -g cc-safe

Usage

cc-safe <directory> [options]

Examples

cc-safe .                  # Scan current directory and all subfolders
cc-safe ~/projects         # Scan a specific directory recursively
cc-safe . --no-low         # Hide LOW severity findings
cc-safe --help             # Show help

Options

| Option | Description | |--------|-------------| | --no-low | Hide LOW severity findings (show only HIGH and MEDIUM) | | --help, -h | Show help message |

What It Detects

cc-safe scans .claude/settings.json and .claude/settings.local.json files for risky patterns in the permissions.allow array.

Severity Levels

HIGH - Critical security risks:

  • rm -rf / rm -f - Force-deletes files
  • Bash - Allows ANY bash command (without specifier)
  • chmod 777 - World-writable permissions
  • chmod -R - Recursive permission changes
  • curl | sh - Downloads and executes code
  • dd if= - Raw disk operations
  • mkfs, fdisk - Disk formatting
  • > /dev/sd* - Direct device writes
  • git push --force - Destroys remote history
  • --dangerously-skip-permissions - Bypasses all safety checks

MEDIUM - Potentially dangerous:

  • sudo (with system-modifying commands) - Runs commands as root
  • git reset --hard - Discards uncommitted changes
  • git clean -fd - Deletes untracked files
  • npm publish / yarn publish - Publishes to npm registry
  • twine upload - Publishes to PyPI (Python)
  • gem push - Publishes to RubyGems
  • cargo publish - Publishes to crates.io (Rust)
  • docker run --privileged - Full host access
  • docker run -v /:/ - Mounts entire host filesystem
  • eval - Code injection risk
  • git push --force-with-lease - Safer but still rewrites history

LOW - Worth noting:

  • sudo (with read-only commands) - Runs safe commands as root (e.g., sudo du, sudo ls, sudo cat, sudo apt-cache, sudo ps)
  • git push - Pushes to remote repository
  • rm / rm * - Broad file deletion patterns

Container Awareness

Commands inside containers are generally safe and skipped:

  • docker exec ...
  • podman exec ...
  • kubectl exec ...
  • docker run ... (except --privileged and root mounts)

Example Output

$ cc-safe ~/projects

Scanning for Claude Code settings files in: /Users/you/projects

Found 3 settings file(s), analyzing...

/Users/you/projects/webapp/.claude/settings.json
  [HIGH] sudo: "Bash(sudo *)"
  [HIGH] Bash (allow all): "Bash"

/Users/you/projects/scripts/.claude/settings.local.json
  [MEDIUM] git reset --hard: "Bash(git reset --hard)"

Summary: 2 high, 1 medium risk pattern(s) found

Requirements

  • Node.js 22+

Origin

Originally published as Tip #32 in Claude Code Tips.