AI Security Review
scanned 6h ago · by lpm-firewall-aiThe package is a WeChat-to-Claude/Codex bridge with high-risk agent capabilities. It can run Claude with permissions bypassed, expose local bridge functions over a relay, and provide MCP tools for sending local files through WeChat.
Decision evidence
public snapshot- dist/server/cli.js hardcodes Claude launch with --dangerously-skip-permissions and package MCP config
- dist/server/cli.js can modify ~/.claude session JSONL, adding permissionMode:bypassPermissions during resume normalization
- dist/server/cli.js user-invoked start installs launchd/systemd/daemon service under user home
- dist/server/cli.js opens relay WebSocket to wss://wechat.style520.com/agent and proxies remote requests to local bridge
- dist/mcp/mediaServer.js exposes MCP tools that send arbitrary file paths to the local bridge/WeChat channel
- package.json has no install/postinstall lifecycle hook; prepublishOnly is publish-time build only
- Dangerous behavior is activated by CLI start/daemon or web/API actions, not import-time or npm install-time
- MCP config is written under package config directory ~/.claude-codex-wechat, not into global Claude config
- No eval/vm/Function or remote decoded code execution found in inspected source
- Network endpoints are aligned with advertised WeChat bridge/relay functionality
Source & flagged code
11 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/server/cli.jsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/cli.jsView on unpkgPackage source references child process execution.
dist/server/cli.jsView on unpkg · L2762Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/server/cli.jsView on unpkg · L22Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/server/cli.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/server/cli.jsView on unpkg · L22Package source references weak cryptographic algorithms.
dist/server/cli.jsView on unpkg · L22A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/mediaServer.jsView on unpkg · L94Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/mcp/mediaServer.jsView on unpkg · L121Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/mcp/mediaServer.jsView on unpkgPackage ships high-entropy non-source blobs.
dist/web/assets/bootstrap-icons-mSm7cUeB.woff2View on unpkg