registry  /  claude-codex-wechat  /  0.1.35

claude-codex-wechat@0.1.35

`claude-codex-wechat` 是一个本地 bridge daemon。它把:

AI Security Review

scanned 6h ago · by lpm-firewall-ai

The package is a WeChat-to-Claude/Codex bridge with high-risk agent capabilities. It can run Claude with permissions bypassed, expose local bridge functions over a relay, and provide MCP tools for sending local files through WeChat.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs claude-codex-wechat start/daemon and enables or uses the WeChat/relay/MCP bridge.
Impact
Remote WeChat/relay inputs can drive local Claude/Codex sessions with elevated agent permissions and send selected local files via the bridge; risk depends on user configuration and activation.
Mechanism
user-invoked AI agent bridge with permission bypass, relay proxy, MCP file-send tools, and service persistence
Attack narrative
After a user starts the CLI, it installs/runs a local bridge daemon, writes a package-owned MCP config, and may connect to a public relay. Messages can launch Claude with --dangerously-skip-permissions and package MCP tools that send local files/media through the bridge to WeChat. This is dangerous agent-facing functionality, but inspection did not find npm install-time execution or unconsented lifecycle mutation of a foreign/broad agent control surface.
Rationale
Source inspection confirms substantial dangerous AI-agent bridge capability, including hardcoded Claude permission bypass and MCP file-send tools, but activation is user-invoked and package-aligned rather than npm lifecycle hijack. This warrants warning rather than publish block under the provided boundary.
Evidence
package.jsondist/server/cli.jsdist/mcp/mediaServer.jsREADME.mdconfig.example.json~/.claude-codex-wechat/config.json~/.claude-codex-wechat/mcp-media.json~/.claude/projects/*/*.jsonl~/.claude/history.jsonl~/.codex/session_index.jsonl~/Library/LaunchAgents/com.claude-codex-wechat.plist~/.config/systemd/user/claude-codex-wechat.service
Network endpoints4
ilinkai.weixin.qq.comwss://wechat.style520.com/agentregistry.npmmirror.com/claude-codex-wechat/latestlocalhost:8787

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • dist/server/cli.js hardcodes Claude launch with --dangerously-skip-permissions and package MCP config
  • dist/server/cli.js can modify ~/.claude session JSONL, adding permissionMode:bypassPermissions during resume normalization
  • dist/server/cli.js user-invoked start installs launchd/systemd/daemon service under user home
  • dist/server/cli.js opens relay WebSocket to wss://wechat.style520.com/agent and proxies remote requests to local bridge
  • dist/mcp/mediaServer.js exposes MCP tools that send arbitrary file paths to the local bridge/WeChat channel
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepublishOnly is publish-time build only
  • Dangerous behavior is activated by CLI start/daemon or web/API actions, not import-time or npm install-time
  • MCP config is written under package config directory ~/.claude-codex-wechat, not into global Claude config
  • No eval/vm/Function or remote decoded code execution found in inspected source
  • Network endpoints are aligned with advertised WeChat bridge/relay functionality
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 3 file(s), 473 KB of source, external domains: 127.0.0.1, ilinkai.weixin.qq.com, novac2c.cdn.weixin.qq.com, react.dev, registry.npmmirror.com, www.apple.com, www.w3.org

Source & flagged code

11 flagged · loading source
dist/server/cli.jsView file
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/server/cli.jsView on unpkg · L22
Trigger-reachable chain: manifest.bin -> dist/server/cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg
2762// src/providers/claude-code/claudeStreamingRunner.ts L2763: import { spawn as spawn3 } from "node:child_process"; L2764: import { randomUUID as randomUUID2 } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/server/cli.jsView on unpkg · L2762
22Detached bundled service listener: dist/server/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L22: // src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server/cli.jsView on unpkg · L22
matchType = normalized_sha256 matchedPackage = claude-codex-wechat@0.1.33 matchedPath = dist/server/cli.js matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.33 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/server/cli.jsView on unpkg
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/cli.jsView on unpkg · L22
22// src/channels/weixin-direct/loginClient.ts L23: var DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com"; L24: var WeixinDirectLoginClient = class { ... L61: if (!response.ok) throw new Error(`weixin_login_request_failed:${response.status}`); L62: const payload = await response.json(); L63: return payload.data ?? payload; ... L71: function defaultConfigPath() { L72: return join(homedir(), ".claude-codex-wechat", "config.json"); L73: } L74: function loadBridgeConfig(path = process.env.BRIDGE_CONFIG ?? defaultConfigPath()) { L75: if (!existsSync(path)) return normalizeBridgeConfig({}, process.env, path); ... L170: function isRetriableRenameError(error) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/cli.jsView on unpkg · L22
dist/mcp/mediaServer.jsView file
94// src/mcp/tools/douyinDownload.ts L95: import { execFile } from "node:child_process"; L96: import { existsSync } from "node:fs"; ... L100: import { z as z2 } from "zod"; L101: var BRIDGE_API_URL2 = process.env.BRIDGE_API_URL || "http://localhost:8787"; L102: function findDouyinScript() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/mediaServer.jsView on unpkg · L94
121return new Promise((resolve2, reject) => { L122: execFile("node", [script, ...args], { timeout: 12e4 }, (err, stdout, stderr) => { L123: if (err) reject(new Error(stderr || err.message)); ... L129: const fileName = basename2(filePath) || "video.mp4"; L130: const response = await fetch(`${BRIDGE_API_URL2}/api/channel/send-media`, { L131: method: "POST", L132: headers: { "content-type": "application/json" }, L133: body: JSON.stringify({ kind, filePath, fileName }) L134: });
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/mcp/mediaServer.jsView on unpkg · L121
matchType = normalized_sha256 matchedPackage = claude-codex-wechat@0.1.33 matchedPath = dist/mcp/mediaServer.js matchedIdentity = npm:Y2xhdWRlLWNvZGV4LXdlY2hhdA:0.1.33 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/mcp/mediaServer.jsView on unpkg
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View file
path = dist/web/assets/bootstrap-icons-mSm7cUeB.woff2 kind = high_entropy_blob sizeBytes = 134044 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg

Findings

2 Critical8 High5 Medium7 Low
CriticalRemote Asset Decode Executedist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
HighChild Processdist/server/cli.js
HighShell
HighSame File Env Network Executiondist/mcp/mediaServer.js
HighCommand Output Exfiltrationdist/mcp/mediaServer.js
HighSpawned Bundled Service Listenerdist/server/cli.js
HighShips High Entropy Blobdist/web/assets/bootstrap-icons-mSm7cUeB.woff2
HighKnown Malware Source Similaritydist/mcp/mediaServer.js
HighKnown Malware Source Similaritydist/server/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License