[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-claude-code-hidden-checks-expose-bad-habit-en":3,"article-related-claude-code-hidden-checks-expose-bad-habit-en":30,"series-tools-111ad479-9e7b-48a2-9f7c-1c907d239865":80},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":22,"views":26,"created_at":27,"published_at":28,"topic_cluster_id":29},"111ad479-9e7b-48a2-9f7c-1c907d239865","claude-code-hidden-checks-expose-bad-habit-en","Claude Code’s hidden checks expose a bad habit","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Fclaude-code\">Claude Code\u003C\u002Fa>’s hidden checks show how to audit AI tools before they touch your codebase.\u003C\u002Fp>\u003Cp>I've been using Claude Code for a while, and honestly, it had started to feel too polite. Helpful, fast, always ready to patch the next file. That’s exactly why this story bothered me. If a coding tool is running inside my shell, I want to know what it’s doing, what it’s calling out to, and what it’s quietly deciding on my behalf. Not because I’m paranoid for sport, but because I’ve been burned enough times by tools that looked like a thin wrapper around magic until I cracked them open and found a pile of assumptions underneath.\u003C\u002Fp>\u003Cp>Then Chaofan Shou posted a thread on X and pointed at \u003Ca href=\"\u002Ftag\u002Fanthropic\">Anthropic\u003C\u002Fa>’s Claude Code npm package, arguing that it contained hidden logic for identifying Chinese users. The original writeup I’m reacting to is this \u003Ca href=\"https:\u002F\u002Fzhuanlan.zhihu.com\u002Fp\u002F2055654173811782912\">Zhihu post\u003C\u002Fa>, which summarizes that claim and frames it as a serious trust issue for developers using the tool. I’m not treating that post as a final legal verdict. I’m treating it as a useful warning sign: when an AI dev tool ships behavior you didn’t notice in the changelog, you should assume the package deserves a harder look.\u003C\u002Fp>\u003Ch2>The real problem is not China, it’s invisible behavior\u003C\u002Fh2>\u003Cblockquote>“Anthropic 的 AI 编程工具 Claude Code 的 npm 包里，带着一…”\u003C\u002Fblockquote>\u003Cp>What this actually means is simple: the issue isn’t just what the code does, it’s that the code does it without being obvious to the person installing it. That’s the part that makes developers lose sleep. I don’t care whether the hidden logic is for routing, safety, policy enforcement, telemetry, or region checks. If it’s buried in a package that sits between me and my repository, I want it documented, named, and reviewable.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783447389193-3bbw.png\" alt=\"Claude Code’s hidden checks expose a bad habit\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>I’ve run into this pattern before with SDKs that quietly changed network behavior after install. The first time, I shrugged. The second time, I started diffing package contents before I even ran the binary. That’s the mindset I’d apply here. If a tool can modify prompts, inspect environment details, or branch on locale, then the trust boundary has already moved. You’re not just installing a coding assistant. You’re installing policy.\u003C\u002Fp>\u003Cp>How to apply it: inspect the package source before adoption, pin exact versions, and make “what network calls happen?” a first-class review item. If your team can’t answer that in five minutes, the tool is not ready for production use.\u003C\u002Fp>\u003Cul>\u003Cli>Read the published package contents, not just the marketing page.\u003C\u002Fli>\u003Cli>Check whether the tool phones home on startup, login, or command execution.\u003C\u002Fli>\u003Cli>Write down the behavior you expect before you test the behavior you got.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>npm packages are not a trust fall\u003C\u002Fh2>\u003Cp>The Zhihu summary is reacting to an npm-distributed Claude Code package, which matters because npm is one of the easiest places for behavior to hide in plain sight. You can publish a package, ship a CLI, update it fast, and most users will just install the latest version and move on. That convenience is great until the package starts making decisions you didn’t audit.\u003C\u002Fp>\u003Cp>What this actually means is that package managers amplify surprises. The smaller the install step feels, the less likely people are to inspect what they’re pulling in. I’ve seen teams trust a CLI because it came from a brand they recognized, then discover the binary wrapped a web request that wasn’t mentioned anywhere in the docs. That’s not a technical failure alone. That’s a process failure.\u003C\u002Fp>\u003Cp>How to apply it: treat \u003Ca href=\"\u002Ftag\u002Fai-coding-tools\">AI coding tools\u003C\u002Fa> like any other supply-chain dependency. Use lockfiles, internal mirrors if you can, and a review step for any package that can read your source tree or execute commands. If the package is closed-source or obfuscated, raise the bar again.\u003C\u002Fp>\u003Cul>\u003Cli>Prefer version pinning over floating installs.\u003C\u002Fli>\u003Cli>Review postinstall scripts and startup hooks.\u003C\u002Fli>\u003Cli>Keep a local copy of the exact artifact you tested.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Region logic is where product policy gets ugly fast\u003C\u002Fh2>\u003Cp>If the hidden code really was aimed at identifying Chinese users, then we’re in a familiar and annoying place: product policy expressed as code paths that users never asked for. Tools do this all the time. They detect locale, IP range, language, billing region, or account metadata, then branch into different behavior. Sometimes that’s legitimate. Sometimes it’s just the company turning legal anxiety into runtime logic.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783447384432-fwxz.png\" alt=\"Claude Code’s hidden checks expose a bad habit\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>What this actually means is that region checks are not neutral. They shape who \u003Ca href=\"\u002Fnews\u002Fclaude-fable-5-us-access-restored-en\">gets access\u003C\u002Fa>, what features appear, what warnings show up, and whether the product behaves differently under the hood. Once that logic is embedded in a developer tool, it stops being a simple business rule and becomes part of your build workflow. That’s a big deal.\u003C\u002Fp>\u003Cp>I ran into a similar mess with a SaaS CLI that worked fine in one region and degraded silently in another. No error, no banner, just slower responses and missing endpoints. The docs never said that. The logs eventually did. That’s why I’ve stopped trusting “it probably only affects UI” excuses. In dev tools, region logic can alter output, not just presentation.\u003C\u002Fp>\u003Cp>How to apply it: ask vendors directly whether the tool behaves differently by region, account type, or IP. If they won’t answer, assume it does. Then test from multiple environments before you let the tool into shared workflows.\u003C\u002Fp>\u003Ch2>Security researchers are doing the job vendors should do\u003C\u002Fh2>\u003Cp>Chaofan Shou is the name that matters here, because this kind of discovery usually starts with one person poking at a package and noticing something weird. That’s not a dig at researchers. It’s a dig at the state of software hygiene. We keep depending on outsiders to notice the weird branch, the odd string, the extra request, the code path that was never supposed to be public.\u003C\u002Fp>\u003Cp>What this actually means is that transparency is being outsourced. If a researcher has to reconstruct the behavior from a published npm artifact and then post about it on X, the vendor has already failed the basic “tell users what your tool does” test. I’m not asking for saintly purity here. I’m asking for a changelog that doesn’t read like a tax form and a package that doesn’t hide important branching logic in minified corners.\u003C\u002Fp>\u003Cp>If you want to check the original signal, start with Chaofan Shou’s post on X and then compare it to the package contents yourself. If you can’t inspect the code, inspect the claims. If you can’t inspect the claims, don’t install it. That sounds harsh, but I’d rather be annoying than surprised.\u003C\u002Fp>\u003Cp>How to apply it: make researchers part of your review loop. When a credible report lands, pause upgrades, compare artifacts, and document what changed. Don’t wait for the vendor to reframe the issue as “expected behavior.”\u003C\u002Fp>\u003Ch2>My rule for AI tools: if I can’t explain it, I don’t ship it\u003C\u002Fh2>\u003Cp>This is where I’ve landed after enough tool churn to get cynical in a useful way. I don’t need every \u003Ca href=\"\u002Ftag\u002Fai-coding\">AI coding\u003C\u002Fa> assistant to be \u003Ca href=\"\u002Fnews\u002Fopencode-vs-cursor-open-source-cli-vs-ai-editor-2026-en\">open source\u003C\u002Fa>. I do need to be able to explain, in plain language, what it does when I run it, what data it sees, what data it sends, and what policy branches it can take. If I can’t explain that to another engineer on my team, the tool is still in the “interesting demo” bucket.\u003C\u002Fp>\u003Cp>What this actually means is that trust has to be earned at the behavior level, not the logo level. Anthropic, OpenAI, Google, whoever — none of that matters if the package does something hidden and the user only finds out from a researcher’s thread. The brand is not the control. The code is the control.\u003C\u002Fp>\u003Cp>How to apply it: add a short approval checklist for AI \u003Ca href=\"\u002Ftag\u002Fdeveloper-tools\">developer tools\u003C\u002Fa>. Keep it boring. Keep it strict. Make someone answer the same questions every time: what files can it read, what network calls can it make, what environment variables does it inspect, and does it behave differently by account or region?\u003C\u002Fp>\u003Cul>\u003Cli>Can it read the entire repo or only the current file?\u003C\u002Fli>\u003Cli>Does it send prompts or code snippets to a remote service?\u003C\u002Fli>\u003Cli>Can it change behavior based on locale, IP, or account metadata?\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>What I’d tell my team before installing Claude Code again\u003C\u002Fh2>\u003Cp>I’m not telling anyone to panic-install a replacement and pretend this never happened. That’s lazy. I’m telling you to treat AI coding tools like privileged software, because that’s what they are. They sit next to your source, your secrets, and your build pipeline. If they hide behavior, even for a policy reason, they deserve the same scrutiny you’d give a payment SDK or an auth library.\u003C\u002Fp>\u003Cp>What this actually means is that the next time a vendor says “it’s just a helper,” I’m going to ask for the diff, the network trace, and the exact conditions that change behavior. If they get defensive, that tells me enough. Good tools survive inspection. Bad ones rely on you not looking too hard.\u003C\u002Fp>\u003Cp>How to apply it: write a one-page internal policy for AI coding assistants. Keep the approval criteria visible. Make the security review short, repeatable, and annoying in the right way.\u003C\u002Fp>\u003Ch2>The template you can copy\u003C\u002Fh2>\u003Cpre>\u003Ccode># AI Coding Tool Review Checklist\n\n## Tool\n- Name:\n- Version:\n- Source URL:\n- Package manager \u002F install method:\n\n## What it can access\n- [ ] Repo files\n- [ ] Local shell commands\n- [ ] Environment variables\n- [ ] Secrets manager tokens\n- [ ] Network access\n\n## What it sends out\n- [ ] Prompts\n- [ ] Code snippets\n- [ ] File contents\n- [ ] Metadata\n- [ ] Region \u002F locale \u002F account signals\n\n## Behavior checks\n- [ ] Does it behave differently by region?\n- [ ] Does it behave differently by account type?\n- [ ] Does it phone home on startup?\n- [ ] Does it phone home on command execution?\n- [ ] Are those calls documented?\n\n## Supply-chain checks\n- [ ] Exact version pinned\n- [ ] Package contents reviewed\n- [ ] Postinstall scripts reviewed\n- [ ] Artifact archived internally\n- [ ] Upgrade path documented\n\n## Approval rule\n- Approved by:\n- Date:\n- Notes:\n- Re-review trigger:\n  - New version\n  - New network behavior\n  - New region logic\n  - New file access scope\n\n## Decision\n- [ ] Approved\n- [ ] Approved with limits\n- [ ] Rejected\n\n## Why\nWrite the shortest honest explanation possible.\nIf you can’t explain the behavior in plain language, don’t ship it.\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>That checklist is mine, not Anthropic’s, and it’s intentionally boring. Boring is good when the thing under review can read your code and call home. The original reporting came from the Zhihu post at \u003Ca href=\"https:\u002F\u002Fzhuanlan.zhihu.com\u002Fp\u002F2055654173811782912\">zhuanlan.zhihu.com\u002Fp\u002F2055654173811782912\u003C\u002Fa>, which summarizes the claim and the surrounding reaction. Anything in my breakdown about workflow, review habits, and approval policy is my own interpretation of why this matters to developers.\u003C\u002Fp>","I break down the hidden Claude Code checks, why they spooked me, and the exact review checklist I’d use instead.","zhuanlan.zhihu.com","https:\u002F\u002Fzhuanlan.zhihu.com\u002Fp\u002F2055654173811782912",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783447389193-3bbw.png","tools","en","e1144d75-9832-4d02-97af-95700b5e9547",[17,18,19,20,21],"Claude Code","Anthropic","npm","supply chain","AI tools",[23,24,25],"Hidden behavior in AI tools is a trust problem, not just a code problem.","Treat AI coding assistants like privileged dependencies and review them accordingly.","Use a simple checklist to pin versions, inspect network calls, and catch region-based logic.",0,"2026-07-07T18:02:41.756127+00:00","2026-07-07T18:02:41.748+00:00","b403ce62-da5a-433f-ada3-145fc2b2de99",{"tags":31,"relatedLang":39,"relatedPosts":43},[32,34,35,37],{"name":21,"slug":33},"ai-tools",{"name":19,"slug":19},{"name":17,"slug":36},"claude-code",{"name":18,"slug":38},"anthropic",{"id":15,"slug":40,"title":41,"language":42},"claude-code-hidden-checks-expose-bad-habit-zh","Claude Code 讓你先審再用","zh",[44,50,56,62,68,74],{"id":45,"slug":46,"title":47,"cover_image":48,"image_url":48,"created_at":49,"category":13},"4c69c2cc-af92-46f6-8363-310011d4dbb1","claude-fable-5-us-access-restored-en","Claude Fable 5 Gets Access Back in the US","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783339420367-9grz.png","2026-07-06T12:03:14.080772+00:00",{"id":51,"slug":52,"title":53,"cover_image":54,"image_url":54,"created_at":55,"category":13},"730d012d-2979-4f5e-b881-545cfa17aa52","rustrover-2026-1-4-right-default-ide-rust-en","RustRover 2026.1.4 is the right default IDE for Rust teams","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783211563197-9rof.png","2026-07-05T00:32:20.046071+00:00",{"id":57,"slug":58,"title":59,"cover_image":60,"image_url":60,"created_at":61,"category":13},"fcbbb173-58d2-4218-a111-452a7238377e","claude-design-synced-prototypes-setup-en","Claude Design setup for synced prototypes","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783191767986-jvz3.png","2026-07-04T19:02:22.032457+00:00",{"id":63,"slug":64,"title":65,"cover_image":66,"image_url":66,"created_at":67,"category":13},"a3df178b-7492-4b4b-8ab6-1de524c2fbdd","rust-196-turns-ranges-into-safer-copies-en","Rust 1.96 turns ranges into safer copies","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783190002602-30jh.png","2026-07-04T18:32:53.529817+00:00",{"id":69,"slug":70,"title":71,"cover_image":72,"image_url":72,"created_at":73,"category":13},"b55fbd0c-846b-4592-953e-e581e1dd4918","ai-data-operations-vs-mlops-what-each-owns-en","AI Data Operations vs MLOps: what each owns","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783168368731-aeq1.png","2026-07-04T12:32:19.952613+00:00",{"id":75,"slug":76,"title":77,"cover_image":78,"image_url":78,"created_at":79,"category":13},"6f72b385-bc6c-47cf-b466-8eb40fed86a7","opentag-turns-slack-threads-into-actions-en","OpenTag turns Slack threads into actions","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1783148604415-put0.png","2026-07-04T07:02:50.733486+00:00",[81,86,91,96,101,106,111,116,121,126],{"id":82,"slug":83,"title":84,"created_at":85},"8008f1a9-7a00-4bad-88c9-3eedc9c6b4b1","surepath-ai-mcp-policy-controls-en","SurePath AI's New MCP Policy Controls Enhance AI Security","2026-03-26T01:26:52.222015+00:00",{"id":87,"slug":88,"title":89,"created_at":90},"27e39a8f-b65d-4f7b-a875-859e2b210156","mcp-standard-ai-tools-2026-en","MCP Standard in 2026: Integrating AI Tools","2026-03-26T01:27:43.127519+00:00",{"id":92,"slug":93,"title":94,"created_at":95},"165f9a19-c92d-46ba-b3f0-7125f662921d","rag-2026-transforming-enterprise-ai-en","How RAG in 2026 is Transforming Enterprise AI","2026-03-26T01:28:11.485236+00:00",{"id":97,"slug":98,"title":99,"created_at":100},"6a2a8e6e-b956-49d8-be12-cc47bdc132b2","mastering-ai-prompts-2026-guide-en","Mastering AI Prompts: A 2026 Guide for Developers","2026-03-26T01:29:07.835148+00:00",{"id":102,"slug":103,"title":104,"created_at":105},"3ab2c67e-4664-4c67-a013-687a2f605814","garry-tan-open-sources-claude-code-toolkit-en","Garry Tan Open-Sources a Claude Code Toolkit","2026-03-26T08:26:20.245934+00:00",{"id":107,"slug":108,"title":109,"created_at":110},"66a7cbf8-7e76-41d4-9bbf-eaca9761bf69","github-ai-projects-to-watch-in-2026-en","20 GitHub AI Projects to Watch in 2026","2026-03-26T08:28:09.752027+00:00",{"id":112,"slug":113,"title":114,"created_at":115},"9f332fda-eace-448a-a292-2283951eee71","practical-github-guide-learning-ml-2026-en","A Practical GitHub Guide to Learning ML in 2026","2026-03-27T01:16:50.125678+00:00",{"id":117,"slug":118,"title":119,"created_at":120},"1b1f637d-0f4d-42bd-974b-07b53829144d","aiml-2026-student-ai-ml-lab-repo-review-en","AIML-2026 Is a Bare-Bones Student Lab Repo","2026-03-27T01:21:51.661231+00:00",{"id":122,"slug":123,"title":124,"created_at":125},"6d1bf3f6-e191-4d30-b55b-8a0722fa6afe","ai-trending-github-repos-and-research-feeds-en","AI Trending Tracks Repos and Research Feeds","2026-03-27T01:31:35.709532+00:00",{"id":127,"slug":128,"title":129,"created_at":130},"010539a1-4c3a-4bd3-937a-26616422ee0d","awesome-ai-for-science-research-tools-map-en","Awesome AI for Science Is Becoming a Real Research Map","2026-03-27T01:46:50.89513+00:00"]