AI Security Review
scanned 3d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Claude/WeCom bridge that installs agent-facing hooks, MCP tools, and an optional resident daemon. The risky behavior is mostly explicit onboarding or platform extension setup, with only a guarded postinstall marketplace refresh.
Decision evidence
public snapshot- package.json defines postinstall: scripts/postinstall.sh
- scripts/postinstall.sh runs only on global npm install and calls `claude plugin marketplace update weclaude-local`
- dist/cli/init.js user-invoked onboarding writes ~/.weclaude config/secrets, installs Claude plugin, and installs daemon
- dist/cli/sync.js can write mcpServers/env into configured Claude settings.json targets
- scripts/install.sh user-invoked installs launchd/systemd user daemon
- hooks/pre-tool-use.sh forwards Claude PreToolUse payloads to local daemon for remote approval
- No install-time daemon registration in postinstall.sh; it exits unless npm_config_global=true and claude exists
- Claude settings/plugin writes are in explicit init/sync/plugin flows, not unconditional package import/install
- Network endpoints are package-aligned: WeCom websocket plus localhost daemon HTTP
- Secrets are prompted and stored locally in ~/.weclaude/secrets.json, not exfiltrated to arbitrary endpoints
- dist/shared/paths.js invisible-character regex is for sanitizing copied WeCom IDs, not hidden control-flow
- No remote code download/eval or arbitrary lifecycle payload execution found
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/server.jsView on unpkg · L6Package source references weak cryptographic algorithms.
dist/daemon/session-cache.jsView on unpkg · L82Source writes installer persistence such as shell profile or service configuration.
dist/daemon/spawn-tmux.jsView on unpkg · L25Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/shared/paths.jsView on unpkg · L10A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/shared/paths.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/init.jsView on unpkg · L61Package ships non-JavaScript build or shell helper files.
cli/weclaude.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/daemon/mirror-bridge.jsView on unpkg