registry  /  weclaude  /  0.1.38

weclaude@0.1.38

Bridge Claude Code and WeCom: PreToolUse approval cards + bidirectional tmux session mirror with image paste

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a disclosed WeCom-to-Claude remote-control bridge with powerful but package-aligned, user-invoked setup paths.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `weclaude init`, `weclaude sync`, daemon, MCP tools, or Claude plugin hook; postinstall only refreshes an existing local marketplace on global install.
Impact
Enables authorized WeCom users to approve tools and remotely control/mirror Claude sessions after configuration.
Mechanism
Local daemon, Claude MCP/hook integration, WeCom WebSocket bridge, tmux/claude spawning
Rationale
Source inspection shows high-risk primitives are core to the documented remote-control product and are gated by interactive/user-invoked setup or local daemon configuration. I found no credential harvesting, hidden external exfiltration, destructive behavior, or unaligned install-time AI-agent takeover.
Evidence
package.jsonscripts/postinstall.shcli/weclaude.shdist/cli/init.jsdist/cli/sync.jshooks/pre-tool-use.shdist/mcp/server.jsdist/daemon/index.jsdist/daemon/inbound.jsdist/daemon/cc-bridge.jsdist/daemon/spawn-tmux.jsdist/shared/paths.js~/.weclaude/config.jsonc~/.weclaude/secrets.json~/.weclaude/sync.lock.json~/.claude/settings.json~/.claude-internal/settings.json~/Library/LaunchAgents/com.weclaude.daemon.plist~/.config/systemd/user/weclaude.service~/.weclaude/inbox~/.claude.json
Network endpoints3
127.0.0.1:17890wss://openws.work.weixin.qq.comwwcdn.weixin.qq.com/node/wework/images/3d-claude-ai-logo.bce0ddae70.jpg

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall only runs on global install and calls `claude plugin marketplace update weclaude-local`, not arbitrary code download or direct hook writes.
    • scripts/postinstall.sh exits unless global npm install and `claude` exists; failures are ignored.
    • dist/cli/init.js interactively collects WeCom credentials, writes ~/.weclaude config/secrets, then user-invoked sync/plugin/daemon setup.
    • dist/cli/sync.js writes managed MCP/env entries to configured Claude settings and supports removal.
    • hooks/pre-tool-use.sh sends hook payload only to local daemon URL by default.
    • dist/shared/paths.js invisible Unicode is inside a regex for sanitizing pasted IDs, not Trojan Source control flow.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 30 file(s), 345 KB of source, external domains: 127.0.0.1, wwcdn.weixin.qq.com

    Source & flagged code

    9 flagged · loading source
    package.jsonView file
    scripts.postinstall = sh scripts/postinstall.sh
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = sh scripts/postinstall.sh
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    dist/mcp/server.jsView file
    6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs";
    High
    Child Process

    Package source references child process execution.

    dist/mcp/server.jsView on unpkg · L6
    6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs"; ... L11: import { z } from "zod"; L12: const DAEMON_BASE = process.env.WECLAUDE_DAEMON_BASE ?? "http://127.0.0.1:17890"; L13: const ok = (data) => ({
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/mcp/server.jsView on unpkg · L6
    dist/daemon/session-cache.jsView file
    82try { L83: const data = JSON.parse(readFileSync(persistPath, "utf8")); L84: const now = Date.now();
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/daemon/session-cache.jsView on unpkg · L82
    dist/shared/paths.jsView file
    10contains invisible/control Unicode U+200B (zero width space) const INVISIBLE = /[<U+200B>-<U+200D><U+2060>-<U+FEFF>]/g;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/shared/paths.jsView on unpkg · L10
    Trigger-reachable chain: manifest.bin -> dist/cli/init.js -> dist/shared/paths.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/shared/paths.jsView on unpkg
    dist/cli/init.jsView file
    61log(c.dim(" building...")); L62: const r = spawnSync("npx", ["tsc", "-p", "tsconfig.json"], { cwd: REPO, stdio: "inherit" }); L63: if (r.status !== 0)
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/cli/init.jsView on unpkg · L61
    cli/weclaude.shView file
    path = cli/weclaude.sh kind = build_helper sizeBytes = 8637 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    cli/weclaude.shView on unpkg

    Findings

    2 Critical5 High5 Medium6 Low
    CriticalTrojan Source Unicodedist/shared/paths.js
    CriticalTrigger Reachable Dangerous Capabilitydist/shared/paths.js
    HighInstall Time Lifecycle Scriptspackage.json
    HighChild Processdist/mcp/server.js
    HighShell
    HighSame File Env Network Executiondist/mcp/server.js
    HighRuntime Package Installdist/cli/init.js
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helpercli/weclaude.sh
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/daemon/session-cache.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings