AI Security Review
scanned 10h ago · by lpm-firewall-aiThe package exposes a WeChat/web/relay bridge that can drive local Claude or Codex agents with permissions disabled. It also mutates native Claude/Codex session state and can install a persistent user service when the CLI is started.
Decision evidence
public snapshot- dist/server/cli.js starts Claude with --dangerously-skip-permissions and package MCP config
- dist/server/cli.js starts Codex app-server with sandboxPolicy disabled and approvalMode never
- dist/server/cli.js registers approval handlers that always return approve for Codex command/file changes
- dist/server/cli.js listens on 0.0.0.0:8787 and can start a relay tunnel to wss://wechat.style520.com/agent
- dist/server/cli.js rewrites Claude session JSONL to add permissionMode bypassPermissions
- dist/server/cli.js installs persistent launchd/systemd-user service on user-invoked default start
- package.json has no install/postinstall hook; prepublishOnly is publish-time only
- network endpoints are aligned with stated WeChat bridge functionality
- writes primarily use ~/.claude-codex-wechat plus Claude/Codex session metadata
Source & flagged code
7 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2762Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L22Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L22Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L22Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg