AI Security Review
scanned 6h ago · by lpm-firewall-aiThe package is a WeChat-to-Claude/Codex bridge with a persistent daemon and agent-facing MCP tools. Risk is real but activated by the CLI/service workflow, not by npm installation.
Decision evidence
public snapshot- dist/server/cli.js user-invoked start installs a persistent launchd/systemd/background daemon.
- dist/server/cli.js launches Claude with --dangerously-skip-permissions and package MCP config.
- dist/server/cli.js can rewrite ~/.claude session/history metadata and insert permissionMode bypassPermissions for sdk-cli sessions.
- dist/server/cli.js writes Codex session index/state metadata under ~/.codex.
- dist/mcp/mediaServer.js exposes MCP tools that send arbitrary local file paths to WeChat via the local bridge.
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publish-time only.
- Default writes are package-owned config/service paths or user-invoked runtime state, not npm install-time mutation.
- No eval/vm/Function or remote decode-execute behavior confirmed in inspected source.
- Network endpoints are aligned with WeChat bridge, relay, update check, and Douyin download functionality.
Source & flagged code
12 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2762Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L22Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/server/cli.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L22Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L22A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/mediaServer.jsView on unpkg · L94Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/mcp/mediaServer.jsView on unpkg · L121Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/mcp/mediaServer.jsView on unpkgPackage ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg