registry  /  claude-codex-wechat  /  0.1.36

claude-codex-wechat@0.1.36

`claude-codex-wechat` 是一个本地 bridge daemon。它把:

AI Security Review

scanned 6h ago · by lpm-firewall-ai

The package is a WeChat-to-Claude/Codex bridge with a persistent daemon and agent-facing MCP tools. Risk is real but activated by the CLI/service workflow, not by npm installation.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
User runs claude-codex-wechat start or uses the running bridge/MCP tools.
Impact
Can route WeChat messages into Claude/Codex, send local files selected by the agent to WeChat, and alter Claude/Codex resume metadata.
Mechanism
persistent AI bridge daemon with permission-skipping Claude invocation and file-send MCP tools
Attack narrative
When started, the CLI installs or starts a persistent local bridge daemon, writes a package-owned MCP config, and launches Claude with permission skipping plus WeChat media tools. Runtime code can modify Claude/Codex session metadata to improve resume behavior and lets the agent send local files through the WeChat bridge. This is dangerous agent-facing functionality but not install-time hijacking.
Rationale
Source inspection confirms dangerous AI-agent capabilities and persistence only through the documented CLI start path, with no npm install-time execution or confirmed remote payload execution. Because the package can bypass Claude permissions and mutate foreign agent state at runtime, warn rather than mark clean.
Evidence
package.jsondist/server/cli.jsdist/mcp/mediaServer.jsdist/mcp/scripts/douyin-download.mjsREADME.mdconfig.example.json~/.claude-codex-wechat/config.json~/.claude-codex-wechat/mcp-media.json~/Library/LaunchAgents/com.claude-codex-wechat.plist~/.config/systemd/user/claude-codex-wechat.service~/.claude/projects/*.jsonl~/.claude/history.jsonl~/.codex/session_index.jsonl~/.codex/state_5.sqlite~/Downloads/douyin_*.mp4
Network endpoints7
ilinkai.weixin.qq.comwss://wechat.style520.com/agentnovac2c.cdn.weixin.qq.com/c2cregistry.npmmirror.com/claude-codex-wechat/latestlocalhost:8787www.iesdouyin.com/share/video/aweme.snssdk.com/aweme/v1/play/

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • dist/server/cli.js user-invoked start installs a persistent launchd/systemd/background daemon.
  • dist/server/cli.js launches Claude with --dangerously-skip-permissions and package MCP config.
  • dist/server/cli.js can rewrite ~/.claude session/history metadata and insert permissionMode bypassPermissions for sdk-cli sessions.
  • dist/server/cli.js writes Codex session index/state metadata under ~/.codex.
  • dist/mcp/mediaServer.js exposes MCP tools that send arbitrary local file paths to WeChat via the local bridge.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publish-time only.
  • Default writes are package-owned config/service paths or user-invoked runtime state, not npm install-time mutation.
  • No eval/vm/Function or remote decode-execute behavior confirmed in inspected source.
  • Network endpoints are aligned with WeChat bridge, relay, update check, and Douyin download functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 4 file(s), 477 KB of source, external domains: 127.0.0.1, aweme.snssdk.com, ilinkai.weixin.qq.com, novac2c.cdn.weixin.qq.com, react.dev, registry.npmmirror.com, www.apple.com, www.douyin.com, www.iesdouyin.com, www.w3.org

Source & flagged code

12 flagged · loading source
dist/server/cli.jsView file
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/server/cli.jsView on unpkg · L22
Trigger-reachable chain: manifest.bin -> dist/server/cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = claude-codex-wechat@0.1.34 matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.34 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/cli.jsView on unpkg
2762// src/providers/claude-code/claudeStreamingRunner.ts L2763: import { spawn as spawn3 } from "node:child_process"; L2764: import { randomUUID as randomUUID2 } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/server/cli.jsView on unpkg · L2762
22Detached bundled service listener: dist/server/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L22: // src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server/cli.jsView on unpkg · L22
matchType = normalized_sha256 matchedPackage = claude-codex-wechat@0.1.33 matchedPath = dist/server/cli.js matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.33 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/server/cli.jsView on unpkg
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/cli.jsView on unpkg · L22
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/cli.jsView on unpkg · L22
dist/mcp/mediaServer.jsView file
94// src/mcp/tools/douyinDownload.ts L95: import { execFile } from "node:child_process"; L96: import { existsSync } from "node:fs"; ... L100: import { z as z2 } from "zod"; L101: var BRIDGE_API_URL2 = process.env.BRIDGE_API_URL || "http://localhost:8787"; L102: function findDouyinScript() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/mediaServer.jsView on unpkg · L94
121return new Promise((resolve2, reject) => { L122: execFile("node", [script, ...args], { timeout: 12e4 }, (err, stdout, stderr) => { L123: if (err) reject(new Error(stderr || err.message)); ... L129: const fileName = basename2(filePath) || "video.mp4"; L130: const response = await fetch(`${BRIDGE_API_URL2}/api/channel/send-media`, { L131: method: "POST", L132: headers: { "content-type": "application/json" }, L133: body: JSON.stringify({ kind, filePath, fileName }) L134: });
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/mcp/mediaServer.jsView on unpkg · L121
matchType = normalized_sha256 matchedPackage = claude-codex-wechat@0.1.33 matchedPath = dist/mcp/mediaServer.js matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.33 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/mcp/mediaServer.jsView on unpkg
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View file
path = dist/web/assets/bootstrap-icons-mSm7cUeB.woff2 kind = high_entropy_blob sizeBytes = 134044 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg

Findings

3 Critical8 High5 Medium7 Low
CriticalRemote Asset Decode Executedist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
CriticalPrevious Version Dangerous Deltadist/server/cli.js
HighChild Processdist/server/cli.js
HighShell
HighSame File Env Network Executiondist/mcp/mediaServer.js
HighCommand Output Exfiltrationdist/mcp/mediaServer.js
HighSpawned Bundled Service Listenerdist/server/cli.js
HighShips High Entropy Blobdist/web/assets/bootstrap-icons-mSm7cUeB.woff2
HighKnown Malware Source Similaritydist/mcp/mediaServer.js
HighKnown Malware Source Similaritydist/server/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License