AI Security Review
scanned 7h ago · by lpm-firewall-aiThe package is a WeChat bridge that can let WeChat messages drive local Claude Code/Codex sessions with permissions disabled and local file/media sending tools. This is dangerous agent-facing capability, but source inspection shows it is documented and user-invoked rather than an npm lifecycle hijack.
Decision evidence
public snapshot- dist/server/cli.js starts Claude with --dangerously-skip-permissions and adds package MCP config.
- dist/server/cli.js starts Codex app-server with sandboxPolicy disabled and approvalMode never, auto-approving command/file approvals.
- dist/server/cli.js registers codex MCP server via `codex mcp add wechat-media` on daemon start.
- dist/server/cli.js can install user launchd/systemd/daemon persistence for the bridge service when `start` is run.
- dist/mcp/mediaServer.js exposes MCP tools to send arbitrary local file paths/media to the WeChat bridge.
- Remote/control endpoints include https://ilinkai.weixin.qq.com and wss://wechat.style520.com/agent.
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is not consumer install-time.
- Risky service/MCP setup is activated by documented CLI commands, mainly `claude-codex-wechat start`, not npm install/import.
- README describes a local WeChat-to-Claude/Codex bridge and documents service start/stop/uninstall behavior.
- No evidence of remote decoded payload execution in inspected source; scanner hint appears to map to normal fetch/WebSocket/client code.
- Configuration and credentials are written under ~/.claude-codex-wechat or chosen BRIDGE_CONFIG path, package-aligned.
Source & flagged code
10 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L13Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L13Source writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L13Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L13A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/mediaServer.jsView on unpkg · L94Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/mcp/mediaServer.jsView on unpkg · L121Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/mcp/mediaServer.jsView on unpkgPackage ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg