AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a disclosed WeCom-to-Claude remote-control bridge with powerful but package-aligned, user-invoked setup paths.
Decision evidence
public snapshot- package.json postinstall only runs on global install and calls `claude plugin marketplace update weclaude-local`, not arbitrary code download or direct hook writes.
- scripts/postinstall.sh exits unless global npm install and `claude` exists; failures are ignored.
- dist/cli/init.js interactively collects WeCom credentials, writes ~/.weclaude config/secrets, then user-invoked sync/plugin/daemon setup.
- dist/cli/sync.js writes managed MCP/env entries to configured Claude settings and supports removal.
- hooks/pre-tool-use.sh sends hook payload only to local daemon URL by default.
- dist/shared/paths.js invisible Unicode is inside a regex for sanitizing pasted IDs, not Trojan Source control flow.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/server.jsView on unpkg · L6Package source references weak cryptographic algorithms.
dist/daemon/session-cache.jsView on unpkg · L82Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/shared/paths.jsView on unpkg · L10A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/shared/paths.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/init.jsView on unpkg · L61Package ships non-JavaScript build or shell helper files.
cli/weclaude.shView on unpkg