registry  /  claude-codex-wechat  /  0.1.25

claude-codex-wechat@0.1.25

`claude-codex-wechat` 是一个本地 bridge daemon。它把:

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The package is a user-invoked WeChat-to-Claude/Codex bridge daemon with broad local agent-control capability. The risk is exposed unauthenticated local/LAN/relay administration of Codex or Claude sessions, not confirmed malware behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs claude-codex-wechat start or __daemon via installed service.
Impact
Remote or LAN access to the daemon could drive local Claude/Codex sessions and alter bridge/session state under the user's account.
Mechanism
unauthenticated bridge daemon controlling local AI CLI processes
Attack narrative
On explicit start, the CLI installs/starts a persistent daemon and listens on all interfaces. The daemon exposes routes for WeChat setup, filesystem browsing of directories, relay tunneling, and Claude/Codex session creation/attachment; it can spawn local AI CLIs and patch their session metadata. This is package-aligned but creates a real unresolved control-plane exposure because no auth middleware was visible.
Rationale
Static inspection does not confirm malware or remote decode-and-execute behavior, but the package exposes powerful unauthenticated AI-agent control and persistence when invoked. That warrants warning rather than publish blocking.
Evidence
package.jsondist/server/cli.jsREADME.mdconfig.example.json~/.claude-codex-wechat/config.json~/Library/LaunchAgents/com.claude-codex-wechat.plist~/.config/systemd/user/claude-codex-wechat.service~/.claude/projects/*.jsonl~/.claude/history.jsonl~/.codex/session_index.jsonl~/.codex/state_5.sqlite
Network endpoints5
ilinkai.weixin.qq.comnovac2c.cdn.weixin.qq.com/c2cwss://wechat.style520.com/agentregistry.npmmirror.com/claude-codex-wechat/latest127.0.0.1:8787

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • dist/server/cli.js exposes a Fastify daemon on 0.0.0.0:8787 with admin routes and no visible auth middleware.
  • dist/server/cli.js can spawn local claude/codex processes and codex app-server from daemon/API-driven sessions.
  • dist/server/cli.js writes user service files: ~/Library/LaunchAgents/com.claude-codex-wechat.plist or ~/.config/systemd/user/claude-codex-wechat.service.
  • dist/server/cli.js can create a relay auth token and connect to wss://wechat.style520.com/agent to proxy local daemon traffic.
  • dist/server/cli.js mutates ~/.claude and ~/.codex session metadata/index files for resume integration.
Evidence against
  • package.json has no install-time lifecycle hook; prepublishOnly is publish-side only.
  • The bin entrypoint only runs when user invokes claude-codex-wechat.
  • Flagged fetch/decrypt block is a WeChat media downloader writing attachments, not dynamic code execution.
  • Network endpoints align with package purpose: WeChat bridge, relay tunnel, and update check.
  • No eval/vm/Function or decoded payload execution found in inspected CLI source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 2 file(s), 446 KB of source, external domains: 127.0.0.1, ilinkai.weixin.qq.com, novac2c.cdn.weixin.qq.com, react.dev, registry.npmmirror.com, www.apple.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/server/cli.jsView file
21// src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L169: function isRetriableRenameError(error) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/server/cli.jsView on unpkg · L21
Trigger-reachable chain: manifest.bin -> dist/server/cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = claude-codex-wechat@0.1.24 matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.24 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/server/cli.jsView on unpkg
2443// src/providers/claude-code/claudeStreamingRunner.ts L2444: import { spawn as spawn3 } from "node:child_process"; L2445: import { randomUUID as randomUUID2 } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/server/cli.jsView on unpkg · L2443
21Detached bundled service listener: dist/server/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L21: // src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L169: function isRetriableRenameError(error) {
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server/cli.jsView on unpkg · L21
21// src/channels/weixin-direct/loginClient.ts L22: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L23: var WeixinDirectLoginClient = class { ... L60: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L61: const payload = await response.json(); L62: return payload.data ?? payload; ... L70: function defaultConfigPath() { L71: return join(homedir(), ".claude-codex-wechat", "config.json"); L72: } L73: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L74: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L169: function isRetriableRenameError(error) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/cli.jsView on unpkg · L21
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View file
path = dist/web/assets/bootstrap-icons-mSm7cUeB.woff2 kind = high_entropy_blob sizeBytes = 134044 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg

Findings

3 Critical4 High5 Medium6 Low
CriticalRemote Asset Decode Executedist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
CriticalPrevious Version Dangerous Deltadist/server/cli.js
HighChild Processdist/server/cli.js
HighShell
HighSpawned Bundled Service Listenerdist/server/cli.js
HighShips High Entropy Blobdist/web/assets/bootstrap-icons-mSm7cUeB.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License