AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/cli/init.js` explicitly installs a Claude plugin, syncs MCP/env settings, and starts a resident daemon.
- `dist/cli/sync.js` writes a managed `weclaude` MCP server and daemon environment values into configured agent settings.
- `scripts/install.sh` persists `dist/daemon/index.js` as a user launchd/systemd service when explicitly invoked.
- `dist/daemon/ws.js` connects using configured WeCom bot credentials; daemon routes expose session switching and tmux/Claude spawning.
- `hooks/pre-tool-use.sh` sends Claude tool-use data to the local daemon for remote approval.
- `scripts/postinstall.sh` is guarded to global installs with `claude` present and only updates the named `weclaude-local` marketplace.
- No install hook writes arbitrary agent settings, installs the daemon, or executes a downloaded payload.
- `dist/shared/paths.js` invisible Unicode is a documented sanitization regex, not concealed control flow.
- Local hook/CLI endpoints use loopback `127.0.0.1`; no unrelated exfiltration endpoint was confirmed.
- `dist/daemon/redact.js` redacts credential-shaped tool-input values before IM forwarding.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp/server.jsView on unpkg · L6Package source references weak cryptographic algorithms.
dist/daemon/session-cache.jsView on unpkg · L88Source writes installer persistence such as shell profile or service configuration.
dist/daemon/spawn-tmux.jsView on unpkg · L25Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/shared/paths.jsView on unpkg · L10A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/shared/paths.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/init.jsView on unpkg · L61Package ships non-JavaScript build or shell helper files.
cli/weclaude.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/daemon/mirror-bridge.jsView on unpkg