registry  /  weclaude  /  0.1.39

weclaude@0.1.39

Bridge Claude Code and WeCom: PreToolUse approval cards + bidirectional tmux session mirror with image paste

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package automatically mutates Claude's plugin marketplace during npm global install. That can refresh Claude plugin-controlled MCP/hooks without an explicit `weclaude init` or user command at install time.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm global install postinstall lifecycle
Impact
Can alter active Claude plugin hook/MCP behavior for users who previously registered weclaude-local, expanding AI-agent control surface during package installation.
Mechanism
unconsented Claude plugin/control-surface update
Policy narrative
On global npm install, the postinstall script silently calls the Claude CLI to update an existing `weclaude-local` plugin marketplace. Because the package ships Claude plugin hooks and an MCP server, this lifecycle action can refresh code that participates in Claude's tool-approval and MCP surfaces without the explicit runtime onboarding path.
Rationale
Most runtime capabilities are disclosed and aligned with a WeCom-to-Claude remote control tool, but the install-time Claude marketplace update is an unconsented AI-agent control-surface mutation. That concrete lifecycle behavior is sufficient to block under the firewall policy even though scanner claims like Trojan Source in paths.js appear to be benign invisible-character sanitization. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.shhooks/hooks.jsonhooks/pre-tool-use.shdist/cli/sync.jsdist/daemon/spawn-tmux.js~/.claude/plugins/marketplaces/weclaude-local/~/.claude/settings.json~/.claude-internal/settings.json~/.weclaude/config.jsonc~/.weclaude/secrets.json~/.claude.json
Network endpoints3
wss://openws.work.weixin.qq.com127.0.0.1:17890wwcdn.weixin.qq.com/node/wework/images/3d-claude-ai-logo.bce0ddae70.jpg

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: sh scripts/postinstall.sh
  • scripts/postinstall.sh runs during global install and invokes `claude plugin marketplace update weclaude-local`
  • hooks/hooks.json registers a Claude PreToolUse command hook pointing to hooks/pre-tool-use.sh
  • dist/cli/sync.js writes mcpServers/env entries into target Claude settings.json files
  • dist/daemon/spawn-tmux.js writes Claude trust markers into ~/.claude*.json for spawned workspaces
Evidence against
  • postinstall is gated to npm_config_global=true and claude on PATH
  • postinstall does not add a new marketplace; it updates an existing weclaude-local marketplace if present
  • Network use is mostly package-aligned: WeCom websocket and loopback daemon HTTP
  • Secrets are prompted into ~/.weclaude/secrets.json and loaded locally for WeCom bot auth
  • No evidence of broad credential harvesting or arbitrary external exfiltration outside the stated WeCom bridge
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 347 KB of source, external domains: 127.0.0.1, wwcdn.weixin.qq.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = sh scripts/postinstall.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = sh scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/mcp/server.jsView file
6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/mcp/server.jsView on unpkg · L6
6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs"; ... L11: import { z } from "zod"; L12: const DAEMON_BASE = process.env.WECLAUDE_DAEMON_BASE ?? "http://127.0.0.1:17890"; L13: const ok = (data) => ({
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/server.jsView on unpkg · L6
dist/daemon/session-cache.jsView file
82try { L83: const data = JSON.parse(readFileSync(persistPath, "utf8")); L84: const now = Date.now();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/daemon/session-cache.jsView on unpkg · L82
dist/shared/paths.jsView file
10contains invisible/control Unicode U+200B (zero width space) const INVISIBLE = /[<U+200B>-<U+200D><U+2060>-<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/shared/paths.jsView on unpkg · L10
Trigger-reachable chain: manifest.bin -> dist/cli/init.js -> dist/shared/paths.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/shared/paths.jsView on unpkg
dist/cli/init.jsView file
61log(c.dim(" building...")); L62: const r = spawnSync("npx", ["tsc", "-p", "tsconfig.json"], { cwd: REPO, stdio: "inherit" }); L63: if (r.status !== 0)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/init.jsView on unpkg · L61
cli/weclaude.shView file
path = cli/weclaude.sh kind = build_helper sizeBytes = 8637 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cli/weclaude.shView on unpkg
dist/daemon/mirror-bridge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = weclaude@0.1.38 matchedIdentity = npm:d2VjbGF1ZGU:0.1.38 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/daemon/mirror-bridge.jsView on unpkg

Findings

3 Critical5 High5 Medium6 Low
CriticalTrojan Source Unicodedist/shared/paths.js
CriticalTrigger Reachable Dangerous Capabilitydist/shared/paths.js
CriticalPrevious Version Dangerous Deltadist/daemon/mirror-bridge.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/mcp/server.js
HighShell
HighSame File Env Network Executiondist/mcp/server.js
HighRuntime Package Installdist/cli/init.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercli/weclaude.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/daemon/session-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings