AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Claude Code/WeCom bridge with broad agent-extension capabilities. Risk is lifecycle and control-surface exposure, but the confirmed mutation is first-party and mostly user-invoked rather than stealth install-time hijack.
Decision evidence
public snapshot- package.json has postinstall `sh scripts/postinstall.sh`.
- scripts/postinstall.sh on global install runs `claude plugin marketplace update weclaude-local`.
- dist/cli/init.js user command writes ~/.weclaude config/secrets, syncs Claude settings, installs plugin, and installs launchd/systemd daemon.
- dist/cli/sync.js writes MCP/env entries into configured Claude settings.json targets.
- hooks/pre-tool-use.sh registers a broad PreToolUse hook that forwards tool approvals to local daemon.
- dist/daemon and dist/mcp expose remote-control flows that spawn/attach Claude/tmux sessions.
- Postinstall is gated to global npm installs, requires `claude` on PATH, and only updates an existing named marketplace.
- Initial plugin install and settings mutation occur via explicit `weclaude init` or `weclaude sync`, not automatic npm install.
- Network use is package-aligned: WeCom websocket and localhost daemon endpoints.
- No credential harvesting/exfiltration beyond user-entered WeCom bot credentials stored in ~/.weclaude/secrets.json.
- No remote payload download/eval or obfuscated staged code found in inspected files.
- dist/shared/paths.js invisible Unicode is an intentional regex for stripping zero-width chars, not Trojan Source control flow.
Source & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/server.jsView on unpkg · L6Package source references weak cryptographic algorithms.
dist/daemon/session-cache.jsView on unpkg · L82Source writes installer persistence such as shell profile or service configuration.
dist/daemon/spawn-tmux.jsView on unpkg · L25Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/shared/paths.jsView on unpkg · L10A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/shared/paths.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/init.jsView on unpkg · L61Package ships non-JavaScript build or shell helper files.
cli/weclaude.shView on unpkg