ClawHub

Wechat Claude Code Installer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WeChat-to-Claude installer, but it enables a persistent chat-controlled local agent with broad file and command access, so users should review it carefully before installing.

Install only if you intentionally want a persistent WeChat-controlled bridge into Claude Code. Use a dedicated WeChat account, avoid work or sensitive chats, review the upstream repository before running npm install, do not store API keys in plaintext plist files if you can avoid it, and disable or uninstall the LaunchAgent when you are not actively using the bridge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs users to run installer and fix scripts that clone repositories, modify session/config files, and write launchd plist state, yet it declares no permissions. This creates a permission-transparency gap: users and tooling are not properly warned that the skill performs persistent file modifications and installs a daemon, which increases the chance of unsafe execution.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented trigger phrases are broad natural-language commands like “装一下微信桥” and “微信里用 Claude Code,” which can be mentioned in ordinary conversation and may invoke the skill unintentionally. Because this skill performs installation and configuration of a local bridge with persistence and automation behavior, accidental invocation could lead to unreviewed setup actions or social-engineering opportunities.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger phrases are broad enough to activate on casual requests like '装一下微信桥' or '微信里用 Claude Code', which can cause the skill to engage in a high-impact installation workflow without sufficiently precise intent matching. In this context, accidental triggering is risky because the skill leads to repository cloning, dependency installation, daemon setup, and persistent configuration changes.

External Transmission

Medium
Category
Data Exfiltration
Content
with open(p, 'rb') as f: d = plistlib.load(f)
env = d.setdefault('EnvironmentVariables', {})
env['ANTHROPIC_AUTH_TOKEN'] = 'sk-ant-api03-你的key'
env['ANTHROPIC_BASE_URL'] = 'https://api.anthropic.com/v1/'
with open(p, 'wb') as f: plistlib.dump(d, f)
print("done")
PY
Confidence
85% confidence
Finding
https://api.anthropic.com/

Session Persistence

Medium
Category
Rogue Agent
Content
报告:Node 版本、是否已装、是否已绑、`ANTHROPIC_BASE_URL` 合规风险、OS 平台。

**重点关注 4️⃣**:如果 `ANTHROPIC_BASE_URL` 指向本地代理(公司 LLM 网关),**所有微信对话会经此代理进入公司日志**——聊私事前请改 plist 切回个人 Anthropic 账号。

### 第 1-2 步:一键安装(含扫码)
Confidence
88% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
|---|---|
| `fix-cwd.sh "$HOME/Claude Code"` | 坑 1:直接改 session.json |
| `fix-meta-talk.sh ["自定义 prompt"]` | 坑 2:覆盖 systemPrompt |
| `fix-caffeinate.sh` | 坑 3:plist 加 `caffeinate -i` |

### 第 4 步:起 daemon + 验证
Confidence
90% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
cd ~/.claude/skills/wechat-claude-code && npm run daemon -- stop

# 永久关(重启后也不起;修第 5 个坑)
launchctl unload -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist

# 重新启用
launchctl load -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
launchctl unload -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist

# 重新启用
launchctl load -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
```

## 切换 API 端点(避开公司代理)
Confidence
87% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
launchctl unload -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist

# 重新启用
launchctl load -w ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
```

## 切换 API 端点(避开公司代理)
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
如果 doctor 报告 `ANTHROPIC_BASE_URL` 指向公司代理,且不希望微信对话经过公司日志:

```bash
PLIST=~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
python3 <<'PY'
import plistlib, os
p = os.path.expanduser("~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist")
Confidence
91% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
如果 doctor 报告 `ANTHROPIC_BASE_URL` 指向公司代理,且不希望微信对话经过公司日志:

```bash
PLIST=~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
python3 <<'PY'
import plistlib, os
p = os.path.expanduser("~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist")
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
PLIST=~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
python3 <<'PY'
import plistlib, os
p = os.path.expanduser("~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist")
with open(p, 'rb') as f: d = plistlib.load(f)
env = d.setdefault('EnvironmentVariables', {})
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
PLIST=~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
python3 <<'PY'
import plistlib, os
p = os.path.expanduser("~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist")
with open(p, 'rb') as f: d = plistlib.load(f)
env = d.setdefault('EnvironmentVariables', {})
env['ANTHROPIC_AUTH_TOKEN'] = 'sk-ant-api03-你的key'
Confidence
97% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
python3 <<'PY'
import plistlib, os
p = os.path.expanduser("~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist")
with open(p, 'rb') as f: d = plistlib.load(f)
env = d.setdefault('EnvironmentVariables', {})
env['ANTHROPIC_AUTH_TOKEN'] = 'sk-ant-api03-你的key'
env['ANTHROPIC_BASE_URL'] = 'https://api.anthropic.com/v1/'
Confidence
86% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
env = d.setdefault('EnvironmentVariables', {})
env['ANTHROPIC_AUTH_TOKEN'] = 'sk-ant-api03-你的key'
env['ANTHROPIC_BASE_URL'] = 'https://api.anthropic.com/v1/'
with open(p, 'wb') as f: plistlib.dump(d, f)
print("done")
PY
launchctl unload ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
Confidence
89% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
with open(p, 'wb') as f: plistlib.dump(d, f)
print("done")
PY
launchctl unload ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
launchctl load ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
```
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
print("done")
PY
launchctl unload ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
launchctl load ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
```

## 卸载
Confidence
87% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
print("done")
PY
launchctl unload ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
launchctl load ~/Library/LaunchAgents/com.wechat-claude-code.bridge.plist
```

## 卸载
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
1. **微信账号风险**:iLink AI 是腾讯官方通道,封号风险极低;但建议**首次绑个人小号**。
2. **数据流向**:所有微信消息 → 本机 daemon → 你的 `ANTHROPIC_BASE_URL` → Claude。doctor 第 4 步会提醒。
3. **本机权限**:daemon 等同"坐在你电脑前的人"——能跑命令、读文件、改文件。**不要把绑定的微信号借给别人**。
4. **本 skill 不修改上游代码**,所有改动都在 launchd plist + session.json,可随时回滚。
5. 上游 1.0.0 还在迭代;本 skill 修法基于 1.0.0,未来版本可能不需要。

## 参考
Confidence
84% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal