registry  /  weclaude  /  0.1.43

weclaude@0.1.43

Bridge Claude Code and WeCom: PreToolUse approval cards + bidirectional tmux session mirror with image paste

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Claude/WeCom bridge that installs agent-facing hooks, MCP tools, and an optional resident daemon. The risky behavior is mostly explicit onboarding or platform extension setup, with only a guarded postinstall marketplace refresh.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
global npm install postinstall refresh, or user runs weclaude init/sync/install
Impact
Remote WeCom chat can mirror/control configured Claude sessions and approve tool use after user setup.
Mechanism
Claude plugin/MCP/hook registration plus local daemon bridge
Policy narrative
On explicit setup, weclaude registers a Claude plugin/MCP server and local daemon, then bridges Claude Code sessions to WeCom for remote messages and approval cards. This is powerful agent-control functionality, but the inspected postinstall only refreshes an existing Claude marketplace entry under guarded global-install conditions; daemon and settings mutations require user-invoked init/sync/install paths.
Rationale
Source inspection shows dangerous agent-extension capability but not unconsented lifecycle hijack, credential exfiltration, remote payload execution, or arbitrary persistence during package install. Because it is a platform extension with guarded lifecycle refresh and explicit setup of Claude control surfaces, warn rather than block.
Evidence
package.jsonscripts/postinstall.shscripts/install.shdist/cli/init.jsdist/cli/sync.jshooks/pre-tool-use.shdist/mcp/server.jsdist/daemon/index.js~/.claude/plugins/marketplaces/weclaude-local/~/.weclaude/config.jsonc~/.weclaude/secrets.json~/.weclaude/sync.lock.json~/.claude/settings.json~/.claude-internal/settings.json~/Library/LaunchAgents/com.weclaude.daemon.plist~/.config/systemd/user/weclaude.service
Network endpoints4
wss://openws.work.weixin.qq.com127.0.0.1:17890127.0.0.1:17890/approvewwcdn.weixin.qq.com/node/wework/images/3d-claude-ai-logo.bce0ddae70.jpg

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: scripts/postinstall.sh
  • scripts/postinstall.sh runs only on global npm install and calls `claude plugin marketplace update weclaude-local`
  • dist/cli/init.js user-invoked onboarding writes ~/.weclaude config/secrets, installs Claude plugin, and installs daemon
  • dist/cli/sync.js can write mcpServers/env into configured Claude settings.json targets
  • scripts/install.sh user-invoked installs launchd/systemd user daemon
  • hooks/pre-tool-use.sh forwards Claude PreToolUse payloads to local daemon for remote approval
Evidence against
  • No install-time daemon registration in postinstall.sh; it exits unless npm_config_global=true and claude exists
  • Claude settings/plugin writes are in explicit init/sync/plugin flows, not unconditional package import/install
  • Network endpoints are package-aligned: WeCom websocket plus localhost daemon HTTP
  • Secrets are prompted and stored locally in ~/.weclaude/secrets.json, not exfiltrated to arbitrary endpoints
  • dist/shared/paths.js invisible-character regex is for sanitizing copied WeCom IDs, not hidden control-flow
  • No remote code download/eval or arbitrary lifecycle payload execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 370 KB of source, external domains: 127.0.0.1, wwcdn.weixin.qq.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = sh scripts/postinstall.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = sh scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/mcp/server.jsView file
6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/mcp/server.jsView on unpkg · L6
6import { StdioServerTransport } from "@[redacted].js"; L7: import { spawn } from "node:child_process"; L8: import { existsSync, readdirSync, statSync } from "node:fs"; ... L11: import { z } from "zod"; L12: const DAEMON_BASE = process.env.WECLAUDE_DAEMON_BASE ?? "http://127.0.0.1:17890"; L13: const ok = (data) => ({
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/server.jsView on unpkg · L6
dist/daemon/session-cache.jsView file
82try { L83: const data = JSON.parse(readFileSync(persistPath, "utf8")); L84: const now = Date.now();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/daemon/session-cache.jsView on unpkg · L82
dist/daemon/spawn-tmux.jsView file
25// before the first paste-buffer inject hits. L26: import { spawn } from "node:child_process"; L27: import { randomUUID } from "node:crypto"; ... L33: const augmentedPath = (orig) => { L34: const extras = [NODE_BIN_DIR, "/opt/homebrew/bin", "/usr/local/bin", `${process.env.HOME ?? ""}/.local/bin`].filter(Boolean); L35: const seen = new Set(); ... L48: let err = ""; L49: proc.stdout?.on("data", (c) => (out += c.toString("utf8"))); L50: proc.stderr?.on("data", (c) => (err += c.toString("utf8"))); ... L76: const claudeConfigCandidates = (claudeBin) => { L77: const home = homedir(); L78: const name = basename(claudeBin);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/spawn-tmux.jsView on unpkg · L25
dist/shared/paths.jsView file
10contains invisible/control Unicode U+200B (zero width space) const INVISIBLE = /[<U+200B>-<U+200D><U+2060>-<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/shared/paths.jsView on unpkg · L10
Trigger-reachable chain: manifest.bin -> dist/cli/init.js -> dist/shared/paths.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/shared/paths.jsView on unpkg
dist/cli/init.jsView file
61log(c.dim(" building...")); L62: const r = spawnSync("npx", ["tsc", "-p", "tsconfig.json"], { cwd: REPO, stdio: "inherit" }); L63: if (r.status !== 0)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/init.jsView on unpkg · L61
cli/weclaude.shView file
path = cli/weclaude.sh kind = build_helper sizeBytes = 8637 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cli/weclaude.shView on unpkg
dist/daemon/mirror-bridge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = weclaude@0.1.39 matchedIdentity = npm:d2VjbGF1ZGU:0.1.39 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/daemon/mirror-bridge.jsView on unpkg

Findings

3 Critical5 High6 Medium6 Low
CriticalTrojan Source Unicodedist/shared/paths.js
CriticalTrigger Reachable Dangerous Capabilitydist/shared/paths.js
CriticalPrevious Version Dangerous Deltadist/daemon/mirror-bridge.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/mcp/server.js
HighShell
HighSame File Env Network Executiondist/mcp/server.js
HighRuntime Package Installdist/cli/init.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/spawn-tmux.js
MediumShips Build Helpercli/weclaude.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/daemon/session-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings