registry  /  claude-codex-wechat  /  0.1.22

claude-codex-wechat@0.1.22

`claude-codex-wechat` 是一个本地 bridge daemon。它把:

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a user-invoked CLI/server bridge for sending Claude/Codex activity through WeChat, with expected network and process-control primitives for that purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the claude-codex-wechat CLI or related dev/publish scripts.
Impact
Can persist local bridge configuration and forward messages to user-configured WeChat/relay endpoints when explicitly run.
Mechanism
User-configured local bridge server, WeChat/relay networking, and spawning Claude/Codex commands.
Rationale
Source inspection found powerful but package-aligned runtime behavior for a Claude/Codex WeChat bridge, not unconsented lifecycle execution or remote decoded code execution. The scanner's critical label appears to be a false positive against bundled runtime primitives and a font asset.
Evidence
package.jsondist/server/cli.jsdist/web/assets/bootstrap-icons-mSm7cUeB.woff2config.example.json
Network endpoints1
api.github.com/repos/izerui/claude-codex-wechat/releases/latest

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/server/cli.js is executable bin and exposes local Fastify API plus SSE/event handling for Claude/Codex-to-WeChat bridging.
  • dist/server/cli.js reads/writes package config, WeChat credentials, relay auth token, and Claude session metadata only through runtime flows.
  • dist/server/cli.js uses child_process spawn/execFile to launch configured Claude/Codex CLIs and relay-server, including detached local service behavior.
  • dist/server/cli.js references package-aligned network endpoints: WeChat baseUrl, optional relay config, GitHub release URL, localhost server/SSE routes.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly only runs build before publisher publish, not consumer install.
  • No evidence of install-time execution, import-time payload execution, or decoded remote asset execution in inspected cli bundle.
  • No hardcoded exfiltration host or credential harvesting beyond user-configured WeChat/relay integration paths.
  • High-entropy woff2 asset is a normal bootstrap icon font under dist/web/assets, not executable code.
  • Writes are bounded to user config/state/session bridge metadata used by the declared CLI service.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 2 file(s), 444 KB of source, external domains: 127.0.0.1, ilinkai.weixin.qq.com, novac2c.cdn.weixin.qq.com, react.dev, registry.npmmirror.com, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/server/cli.jsView file
21// src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L1107: }));
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/server/cli.jsView on unpkg · L21
Trigger-reachable chain: manifest.bin -> dist/server/cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg
2351// src/providers/claude-code/claudeStreamingRunner.ts L2352: import { spawn as spawn3 } from "node:child_process"; L2353: import { randomUUID as randomUUID2 } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/server/cli.jsView on unpkg · L2351
21Detached bundled service listener: dist/server/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L21: // src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L1107: }));
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server/cli.jsView on unpkg · L21
21// src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L1107: }));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/cli.jsView on unpkg · L21
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View file
path = dist/web/assets/bootstrap-icons-mSm7cUeB.woff2 kind = high_entropy_blob sizeBytes = 134044 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalRemote Asset Decode Executedist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
HighChild Processdist/server/cli.js
HighShell
HighSpawned Bundled Service Listenerdist/server/cli.js
HighShips High Entropy Blobdist/web/assets/bootstrap-icons-mSm7cUeB.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License