AI Security Review
scanned 3d ago · by lpm-firewall-aiConfirmed dangerous dual-use bridge: remote WeChat/relay input can steer local Claude/Codex sessions, and Claude is launched with permission bypass. Behavior is runtime/user-invoked rather than install-time, but it exposes an AI-agent control surface with persistence and public relay support.
Decision evidence
public snapshot- dist/server/cli.js runs Claude with --dangerously-skip-permissions for bridged WeChat messages.
- dist/server/cli.js can rewrite Claude session JSONL to add permissionMode:bypassPermissions during resume repair.
- dist/server/cli.js starts a persistent launchd/systemd/user daemon and listens on 0.0.0.0:8787.
- dist/server/cli.js creates a default relay auth token and connects to wss://wechat.style520.com/agent.
- dist/server/cli.js forwards relay request payloads to local http://127.0.0.1:<port> API routes.
- package.json has no install/postinstall lifecycle hook; prepublishOnly is build-only and not consumer install-time.
- README.md openly describes a local WeChat to Claude/Codex bridge daemon.
- Network endpoints are aligned with WeChat login/media and relay functionality.
- No eval/vm/Function or decoded remote code execution was found in inspected source.
- Child processes are claude/codex, service managers, and platform utilities aligned with CLI behavior.
Source & flagged code
6 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2321Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg