AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package is a user-invoked WeChat-to-Claude/Codex bridge daemon with broad local agent-control capability. The risk is exposed unauthenticated local/LAN/relay administration of Codex or Claude sessions, not confirmed malware behavior.
Decision evidence
public snapshot- dist/server/cli.js exposes a Fastify daemon on 0.0.0.0:8787 with admin routes and no visible auth middleware.
- dist/server/cli.js can spawn local claude/codex processes and codex app-server from daemon/API-driven sessions.
- dist/server/cli.js writes user service files: ~/Library/LaunchAgents/com.claude-codex-wechat.plist or ~/.config/systemd/user/claude-codex-wechat.service.
- dist/server/cli.js can create a relay auth token and connect to wss://wechat.style520.com/agent to proxy local daemon traffic.
- dist/server/cli.js mutates ~/.claude and ~/.codex session metadata/index files for resume integration.
- package.json has no install-time lifecycle hook; prepublishOnly is publish-side only.
- The bin entrypoint only runs when user invokes claude-codex-wechat.
- Flagged fetch/decrypt block is a WeChat media downloader writing attachments, not dynamic code execution.
- Network endpoints align with package purpose: WeChat bridge, relay tunnel, and update check.
- No eval/vm/Function or decoded payload execution found in inspected CLI source.
Source & flagged code
7 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2443Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg