AI Security Review
scanned 12h ago · by lpm-firewall-aiThe package is a user-invoked WeChat bridge for Claude/Codex with dangerous agent-facing capabilities. It can run Claude with permissions disabled, attach remote chat input to local agent sessions, and install a persistent background service when the CLI is started.
Decision evidence
public snapshot- dist/server/cli.js starts Claude with --dangerously-skip-permissions and optional --mcp-config for bridge media tools
- dist/server/cli.js can modify ~/.claude project session JSONL/history and inserts permissionMode=bypassPermissions when normalizing sdk-cli sessions
- dist/server/cli.js user-invoked start installs persistent launchd/systemd-user service or detached Windows daemon
- dist/server/cli.js bridges WeChat/relay messages into Claude/Codex sessions and can steer active turns
- dist/mcp/mediaServer.js exposes MCP tools that send arbitrary absolute file paths to the local bridge for WeChat media upload
- package.json has no install/postinstall lifecycle hook; prepublishOnly is publish-time build only
- Network endpoints are package-aligned WeChat, relay, media CDN, and update-check services
- No confirmed eval/vm/Function remote code execution pattern found in inspected source
- Persistence is activated by CLI start/restart commands, not npm installation
- Config and generated MCP files are under ~/.claude-codex-wechat except explicit Claude/Codex session metadata updates
Source & flagged code
8 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2762Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L22Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L22Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L22Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg