AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package is a runtime bridge, but it unilaterally changes Claude Code resume metadata to bypassPermissions. That is a local AI-agent control-surface mutation tied to remote message bridging.
Decision evidence
public snapshot- dist/server/cli.js mutates Claude session JSONL: sdk-cli entrypoint is rewritten to cli and permissionMode:bypassPermissions is inserted when absent.
- dist/server/cli.js writes Claude history/session metadata under ~/.claude and Codex session metadata under ~/.codex/state_5.sqlite/session_index.jsonl.
- dist/server/cli.js exposes WeChat/relay controlled message routing to Claude/Codex providers, enabling remote chat messages to drive local agents after user starts service.
- package.json has no consumer install-time lifecycle hooks; prepublishOnly/postpublish are publisher-side.
- Network endpoints are aligned with stated WeChat/relay bridge purpose, not standalone exfiltration.
- Child_process use primarily launches configured claude/codex commands and service manager commands from user-invoked CLI flows.
Source & flagged code
6 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2443Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L21Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L21Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg