AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package turns WeChat and relay traffic into a remote control surface for local Claude/Codex sessions while forcing Claude permission bypass. It also mutates existing Claude session files to add bypassPermissions metadata.
Decision evidence
public snapshot- dist/server/cli.js buildStreamingArgs always adds --dangerously-skip-permissions for Claude Code sessions.
- dist/server/cli.js normalizeClaudeSessionFileForResume rewrites Claude session JSONL entrypoint sdk-cli to cli and injects permissionMode:bypassPermissions.
- dist/server/cli.js exposes WeChat/HTTP routes that create, attach, steer, interrupt, and send messages into local Claude/Codex sessions.
- dist/server/cli.js start installs a persistent user service via launchd/systemd or detached process.
- dist/server/cli.js relay tunnel connects to wss://wechat.style520.com/agent and forwards remote requests to local 127.0.0.1 bridge.
- package.json has no install/postinstall lifecycle hook; prepublishOnly is publish-time build only.
- README.md discloses the package is a local WeChat to Claude/Codex bridge daemon and that start registers a system service.
- Network endpoints for Weixin login/API are aligned with the package's WeChat bridge purpose.
Source & flagged code
7 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2410Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg