AI Security Review
scanned 1d ago · by lpm-firewall-aiRunning the CLI start command installs a persistent local daemon that connects by default to a public relay and lets remote WeChat traffic drive local Claude/Codex sessions. The bridge forces Claude into permission-bypass mode and mutates AI agent session metadata for resume.
Decision evidence
public snapshot- package.json exposes bin ./dist/server/cli.js; default command start installs a persistent daemon
- dist/server/cli.js starts launchd/systemd-user/Windows detached service files for __daemon
- dist/server/cli.js defaults relay to wss://wechat.style520.com/agent and proxies relay requests to local http://127.0.0.1:<port>
- dist/server/cli.js runs Claude with --dangerously-skip-permissions for bridged WeChat messages
- dist/server/cli.js mutates Claude session JSONL to add permissionMode bypassPermissions when resuming
- dist/server/cli.js launches codex app-server and rewrites Codex thread/session metadata for resumed sessions
- package.json has no install/postinstall/preinstall lifecycle hook; prepublishOnly is publish-time only
- README.md describes the package as a WeChat-to-Claude/Codex local bridge daemon
- No eval/new Function/vm dynamic execution found in dist/server/cli.js
- Media download code fetches and decrypts WeChat CDN media to files, not code execution
Source & flagged code
7 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2351Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg