AI Security Review
scanned 5h ago · by lpm-firewall-aiInstall-time lifecycle code silently mutates the user's Codex MCP configuration by adding a package-supplied MCP server. That server gives Codex tools for sending arbitrary local file paths through the WeChat bridge and running a downloader helper.
Decision evidence
public snapshot- package.json postinstall runs scripts/postinstall-codex-mcp.mjs on install
- postinstall executes `codex mcp remove/add wechat-media` without user confirmation
- postinstall registers dist/mcp/mediaServer.js into Codex with BRIDGE_API_URL=http://localhost:8787
- dist/mcp/mediaServer.js exposes MCP tools that send arbitrary file paths to the WeChat bridge
- dist/mcp/mediaServer.js can exec a douyin-download script from package/user skill locations
- No install-time network fetch or decoded remote code execution found in inspected postinstall source
- MCP endpoints are mostly localhost/package-aligned for a WeChat bridge
- Main CLI service and persistence are user-invoked commands, not import-time execution
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2762Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L22Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/server/cli.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L22Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L22This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp/mediaServer.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/mediaServer.jsView on unpkg · L94Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/mcp/mediaServer.jsView on unpkg · L121Package ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg