AI Security Review
scanned 3d ago · by lpm-firewall-aiUser-invoked start creates a persistent local bridge daemon and default relay tunnel. The relay server can forward HTTP requests into the local admin/API surface, which can drive Claude Code or Codex sessions.
Decision evidence
public snapshot- dist/server/cli.js starts a Fastify daemon on host 0.0.0.0 port 8787 by default.
- dist/server/cli.js auto-generates relay credentials and connects to wss://wechat.style520.com/agent when daemon starts.
- Relay handler proxies relay-supplied HTTP requests to http://127.0.0.1:<port><path>.
- Local/admin APIs can attach/start Claude Code or Codex sessions and spawn codex/claude app-server/CLI processes.
- start command installs persistent launchd/systemd-user service or detached Windows process.
- No npm install/postinstall/preinstall lifecycle execution; prepublishOnly only builds before publishing.
- Scanner remote decode/execute hint is noisy: mediaDownloader fetches WeChat media, AES-decrypts it, and writes bytes; no execution found.
- No eval, Function, vm, dynamic import, curl/wget, or shell payload pattern found.
- Network endpoints are package-aligned with documented WeChat/relay bridge behavior.
- README discloses local daemon, WeChat control plane, Codex/Claude bridge, and service commands.
Source & flagged code
6 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2321Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg