registry  /  claude-codex-wechat  /  0.1.34

claude-codex-wechat@0.1.34

`claude-codex-wechat` 是一个本地 bridge daemon。它把:

AI Security Review

scanned 7h ago · by lpm-firewall-ai

The package is a WeChat bridge that can let WeChat messages drive local Claude Code/Codex sessions with permissions disabled and local file/media sending tools. This is dangerous agent-facing capability, but source inspection shows it is documented and user-invoked rather than an npm lifecycle hijack.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs `claude-codex-wechat start` or uses the bridge/MCP tools after setup.
Impact
A configured WeChat user can cause local Claude/Codex actions and request local files/media be sent through the bridge; service can persist until stopped/uninstalled.
Mechanism
User-invoked agent bridge with permission bypass, MCP registration, and local service persistence
Attack narrative
When started, the bridge creates a local web/relay service, registers a WeChat media MCP server, and launches Claude/Codex with permission checks bypassed or auto-approved. This creates a high-risk remote-to-local agent control path, including file/media sending through MCP tools, but the package presents this as its core documented purpose and does not trigger it during npm install.
Rationale
Source inspection confirms dangerous AI-agent capabilities and persistence, but they are package-aligned and user-invoked, with no consumer install-time mutation or hidden exfiltration found. Under the policy this should warn rather than publish-block.
Evidence
package.jsonREADME.mdconfig.example.jsondist/server/cli.jsdist/mcp/mediaServer.js~/.claude-codex-wechat/config.json~/.claude-codex-wechat/logs/service.stdout.log~/.claude-codex-wechat/logs/service.stderr.log~/Library/LaunchAgents/com.claude-codex-wechat.plist~/.config/systemd/user/claude-codex-wechat.service~/.codex/session_index.jsonl~/.codex/state_5.sqlite~/.claude/projects/**/*.jsonl
Network endpoints4
ilinkai.weixin.qq.comwss://wechat.style520.com/agentregistry.npmmirror.com/claude-codex-wechat/latestlocalhost:8787

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • dist/server/cli.js starts Claude with --dangerously-skip-permissions and adds package MCP config.
  • dist/server/cli.js starts Codex app-server with sandboxPolicy disabled and approvalMode never, auto-approving command/file approvals.
  • dist/server/cli.js registers codex MCP server via `codex mcp add wechat-media` on daemon start.
  • dist/server/cli.js can install user launchd/systemd/daemon persistence for the bridge service when `start` is run.
  • dist/mcp/mediaServer.js exposes MCP tools to send arbitrary local file paths/media to the WeChat bridge.
  • Remote/control endpoints include https://ilinkai.weixin.qq.com and wss://wechat.style520.com/agent.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is not consumer install-time.
  • Risky service/MCP setup is activated by documented CLI commands, mainly `claude-codex-wechat start`, not npm install/import.
  • README describes a local WeChat-to-Claude/Codex bridge and documents service start/stop/uninstall behavior.
  • No evidence of remote decoded payload execution in inspected source; scanner hint appears to map to normal fetch/WebSocket/client code.
  • Configuration and credentials are written under ~/.claude-codex-wechat or chosen BRIDGE_CONFIG path, package-aligned.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 3 file(s), 473 KB of source, external domains: 127.0.0.1, ilinkai.weixin.qq.com, novac2c.cdn.weixin.qq.com, react.dev, registry.npmmirror.com, www.apple.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/server/cli.jsView file
13import { mkdtempSync, existsSync as existsSync9, writeFileSync as writeFileSync2 } from "node:fs"; L14: import { execSync } from "node:child_process"; L15: import { tmpdir as tmpdir2 } from "node:os"; ... L23: // src/channels/weixin-direct/loginClient.ts L24: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L25: var WeixinDirectLoginClient = class { ... L62: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L63: const payload = await response.json(); L64: return payload.data ?? payload; ... L72: function defaultConfigPath() { L73: return join(homedir(), ".claude-codex-wechat", "config.json"); L74: }
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/server/cli.jsView on unpkg · L13
Trigger-reachable chain: manifest.bin -> dist/server/cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg
13import { mkdtempSync, existsSync as existsSync9, writeFileSync as writeFileSync2 } from "node:fs"; L14: import { execSync } from "node:child_process"; L15: import { tmpdir as tmpdir2 } from "node:os";
High
Child Process

Package source references child process execution.

dist/server/cli.jsView on unpkg · L13
13Detached bundled service listener: dist/server/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L13: import { mkdtempSync, existsSync as existsSync9, writeFileSync as writeFileSync2 } from "node:fs"; L14: import { execSync } from "node:child_process"; L15: import { tmpdir as tmpdir2 } from "node:os"; ... L23: // src/channels/weixin-direct/loginClient.ts L24: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L25: var WeixinDirectLoginClient = class { ... L62: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L63: const payload = await response.json(); L64: return payload.data ?? payload; ... L72: function defaultConfigPath() { L73: return join(homedir(), ".claude-codex-wechat", "config.json"); L74: }
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server/cli.jsView on unpkg · L13
13import { mkdtempSync, existsSync as existsSync9, writeFileSync as writeFileSync2 } from "node:fs"; L14: import { execSync } from "node:child_process"; L15: import { tmpdir as tmpdir2 } from "node:os"; ... L23: // src/channels/weixin-direct/loginClient.ts L24: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L25: var WeixinDirectLoginClient = class { ... L62: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L63: const payload = await response.json(); L64: return payload.data ?? payload; ... L72: function defaultConfigPath() { L73: return join(homedir(), ".claude-codex-wechat", "config.json"); L74: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/cli.jsView on unpkg · L13
13import { mkdtempSync, existsSync as existsSync9, writeFileSync as writeFileSync2 } from "node:fs"; L14: import { execSync } from "node:child_process"; L15: import { tmpdir as tmpdir2 } from "node:os"; ... L23: // src/channels/weixin-direct/loginClient.ts L24: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L25: var WeixinDirectLoginClient = class { ... L62: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L63: const payload = await response.json(); L64: return payload.data ?? payload; ... L72: function defaultConfigPath() { L73: return join(homedir(), ".claude-codex-wechat", "config.json"); L74: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/cli.jsView on unpkg · L13
dist/mcp/mediaServer.jsView file
94// src/mcp/tools/douyinDownload.ts L95: import { execFile } from "node:child_process"; L96: import { existsSync } from "node:fs"; ... L100: import { z as z2 } from "zod"; L101: var BRIDGE_API_URL2 = process.env.BRIDGE_API_URL || "http://localhost:8787"; L102: function findDouyinScript() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/mediaServer.jsView on unpkg · L94
121return new Promise((resolve2, reject) => { L122: execFile("node", [script, ...args], { timeout: 12e4 }, (err, stdout, stderr) => { L123: if (err) reject(new Error(stderr || err.message)); ... L129: const fileName = basename2(filePath) || "video.mp4"; L130: const response = await fetch(`${BRIDGE_API_URL2}/api/channel/send-media`, { L131: method: "POST", L132: headers: { "content-type": "application/json" }, L133: body: JSON.stringify({ kind, filePath, fileName }) L134: });
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/mcp/mediaServer.jsView on unpkg · L121
matchType = normalized_sha256 matchedPackage = claude-codex-wechat@0.1.33 matchedPath = dist/mcp/mediaServer.js matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.33 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/mcp/mediaServer.jsView on unpkg
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View file
path = dist/web/assets/bootstrap-icons-mSm7cUeB.woff2 kind = high_entropy_blob sizeBytes = 134044 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg

Findings

2 Critical7 High5 Medium7 Low
CriticalRemote Asset Decode Executedist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
HighChild Processdist/server/cli.js
HighShell
HighSame File Env Network Executiondist/mcp/mediaServer.js
HighCommand Output Exfiltrationdist/mcp/mediaServer.js
HighSpawned Bundled Service Listenerdist/server/cli.js
HighShips High Entropy Blobdist/web/assets/bootstrap-icons-mSm7cUeB.woff2
HighKnown Malware Source Similaritydist/mcp/mediaServer.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License