If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/zhongyi-tong/WeChatLuckyMoney shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 7y ago

• 5 active contributors
• MIT licensed
• CI configured
• ⚠ Stale — last commit 7y ago
• ⚠ Concentrated ownership — top contributor handles 61% of recent commits
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live zhongyi-tong/WeChatLuckyMoney repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/zhongyi-tong/WeChatLuckyMoney.

What it runs against: a local clone of zhongyi-tong/WeChatLuckyMoney — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in zhongyi-tong/WeChatLuckyMoney | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch stable exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 2690 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of zhongyi-tong/WeChatLuckyMoney. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/zhongyi-tong/WeChatLuckyMoney.git
#   cd WeChatLuckyMoney
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of zhongyi-tong/WeChatLuckyMoney and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "zhongyi-tong/WeChatLuckyMoney(\\.git)?\\b" \\
  && ok "origin remote is zhongyi-tong/WeChatLuckyMoney" \\
  || miss "origin remote is not zhongyi-tong/WeChatLuckyMoney (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify stable >/dev/null 2>&1 \\
  && ok "default branch stable exists" \\
  || miss "default branch stable no longer exists"

# 4. Critical files exist
test -f "app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java" \\
  && ok "app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java" \\
  || miss "missing critical file: app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java"
test -f "app/src/main/java/xyz/monkeytong/hongbao/activities/MainActivity.java" \\
  && ok "app/src/main/java/xyz/monkeytong/hongbao/activities/MainActivity.java" \\
  || miss "missing critical file: app/src/main/java/xyz/monkeytong/hongbao/activities/MainActivity.java"
test -f "app/src/main/java/xyz/monkeytong/hongbao/fragments/GeneralSettingsFragment.java" \\
  && ok "app/src/main/java/xyz/monkeytong/hongbao/fragments/GeneralSettingsFragment.java" \\
  || miss "missing critical file: app/src/main/java/xyz/monkeytong/hongbao/fragments/GeneralSettingsFragment.java"
test -f "app/src/main/AndroidManifest.xml" \\
  && ok "app/src/main/AndroidManifest.xml" \\
  || miss "missing critical file: app/src/main/AndroidManifest.xml"
test -f "app/src/main/res/xml/accessible_service_config.xml" \\
  && ok "app/src/main/res/xml/accessible_service_config.xml" \\
  || miss "missing critical file: app/src/main/res/xml/accessible_service_config.xml"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 2690 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~2660d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/zhongyi-tong/WeChatLuckyMoney"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

An Android accessibility service that automatically detects and opens WeChat red packet (hongbao) notifications, then claims the money inside before other users. It intercepts system notifications and chat list/page events via Android's AccessibilityService API, identifies red packet keywords and UI elements, and simulates user clicks to open and claim rewards at superhuman speed. Single-module Android app (app/) structured as: activities/ (MainActivity, SettingsActivity, WebViewActivity) → services/HongbaoService.java (the core AccessibilityService) → utils/ (HongbaoSignature for verification, HongbaoLogger, ConnectivityUtil, DownloadUtil, UpdateTask for self-updates) → fragments/ (CommentSettingsFragment, GeneralSettingsFragment for settings UI) → res/ (layout XMLs for preferences and web view). No tests directory visible.

Chinese WeChat users who want to automatically snatch red packets in group chats without manual clicking. Contributors are Android developers familiar with AccessibilityService, WeChat's UI patterns, and Chinese monetization/gaming culture.

Actively maintained but aging gracefully. The stable branch shows consistent updates (v5.0.0 as of build.gradle), has CI/CD via Travis CI, and demonstrates ~10K+ downloads and community engagement on Gitter. However, it targets SDK 25 (Android 7.1) with minSdkVersion 19, suggesting it hasn't kept pace with modern Android (API 34+). No visible test suite in the file structure.

Moderate-to-high risk: (1) Directly manipulates accessibility APIs—a ban vector if WeChat detects automated claiming; (2) Minimal dependencies (only Bugly crash reporting, support-v4/v7) but depends on reverse-engineering WeChat's evolving UI and notification structure; (3) Single maintainer (Zhongyi Tong / geeeeeeeeek); (4) Disclaimer in README explicitly warns of WeChat account suspension risk; (5) Last observable activity appears to be the stable branch—unclear if dev branch is active.

Unclear from provided data; README references the dev branch as 'deprecated' and directs issues to the stable branch. The .travis.yml indicates CI was set up, but no recent commit history is visible. The app appears in maintenance mode: accepting bug fixes and WeChat compatibility updates, but no major feature development evident.

Clone the repo with git clone https://github.com/geeeeeeeeek/WeChatLuckyMoney.git && cd WeChatLuckyMoney. Install Android Studio with SDK 25 and build tools 26.0.2. Run ./gradlew build (or gradle build if gradle wrapper is not present). Set keystore credentials via environment variables KEYSTORE_PASS, ALIAS_NAME, ALIAS_PASS if building release APK, or edit build.gradle to remove signing for debug builds.

Daily commands: In Android Studio: File → Open → select the repo root. Sync Gradle. Connect an emulator or physical device (minSdkVersion 19 / Android 4.4+). Click Run (Shift+F10) to install and launch MainActivity. Or via CLI: ./gradlew installDebug && adb shell am start -n xyz.monkeytong.hongbao/xyz.monkeytong.hongbao.activities.MainActivity.

• app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java — Core accessibility service that detects and intercepts red packet notifications; the heart of the automation logic
• app/src/main/java/xyz/monkeytong/hongbao/activities/MainActivity.java — Entry point and main UI controller; manages service lifecycle and user interactions
• app/src/main/java/xyz/monkeytong/hongbao/fragments/GeneralSettingsFragment.java — Settings configuration for monitoring mode and core behavior; user preferences drive service logic
• app/src/main/AndroidManifest.xml — Declares accessibility service and required permissions; without this, the automation cannot function
• app/src/main/res/xml/accessible_service_config.xml — Accessibility service configuration that specifies event types monitored (notifications, window changes)
• app/build.gradle — Build configuration defining min/target SDK, signing config, and native library support
• app/src/main/java/xyz/monkeytong/hongbao/utils/HongbaoSignature.java — Signature verification utility; ensures authenticity and prevents tampering with release builds

Add a new settings option (e.g., whitelist/blacklist keywords)

1. Add string key and label to app/src/main/res/values/strings.xml (app/src/main/res/values/strings.xml)
2. Add preference entry (Preference or CheckBoxPreference) to app/src/main/res/xml/general_preferences.xml (app/src/main/res/xml/general_preferences.xml)
3. Read the preference value using SharedPreferences in GeneralSettingsFragment or HongbaoService (app/src/main/java/xyz/monkeytong/hongbao/fragments/GeneralSettingsFragment.java)
4. Implement filtering logic in HongbaoService.onAccessibilityEvent() to apply the new setting (app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java)

Add a new monitoring mode or detection heuristic

1. Define a new mode constant and enum value in HongbaoService or a dedicated config class (app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java)
2. Add a Preference or spinner option in general_preferences.xml to let users select the mode (app/src/main/res/xml/general_preferences.xml)
3. Implement detection logic in HongbaoService.onAccessibilityEvent() that checks the selected mode and triggers appropriate actions (app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java)

Add a new auto-reply comment template or comment customization

1. Add preference entries to app/src/main/res/xml/comment_preferences.xml for new comment options (app/src/main/res/xml/comment_preferences.xml)
2. Add corresponding UI strings in app/src/main/res/values/strings.xml (app/src/main/res/values/strings.xml)
3. Update CommentSettingsFragment to handle new comment settings if custom UI is needed (app/src/main/java/xyz/monkeytong/hongbao/fragments/CommentSettingsFragment.java)
4. Integrate the new comment template into HongbaoService.onAccessibilityEvent() where auto-reply is triggered (app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java)

Integrate a new update or notification mechanism

1. Extend or create a new utility class similar to UpdateTask.java for custom update logic (app/src/main/java/xyz/monkeytong/hongbao/utils/UpdateTask.java)
2. Call the update check from MainActivity or as a background scheduled task (app/src/main/java/xyz/monkeytong/hongbao/activities/MainActivity.java)
3. Use DownloadUtil for any HTTP requests or extend it with additional download logic (app/src/main/java/xyz/monkeytong/hongbao/utils/DownloadUtil.java)

• Android Accessibility Service API — Provides system-level event interception without requiring root; enables detection of notifications and window state changes
• SharedPreferences — Lightweight key-value storage for user settings and configuration; persists across app restarts
• PreferenceFragment — Standard Android pattern for settings UI; provides automatic persistence and validation of user preferences
• Native NDK (armeabi, armeabi-v7a) — Support for ARM processor architectures; likely used for obfuscation or performance-critical detection logic
• ProGuard/R8 Obfuscation — Protects sensitive logic from reverse engineering; commonly used in competitive apps to hide algorithms

• Accessibility Service instead of higher-privilege approaches

  • Why: No root required, user consent model, broad device compatibility
  • Consequence: Limited to accessibility events; cannot intercept at lower system levels or access protected UI elements directly

• Single monolithic HongbaoService instead of modular service architecture

  • Why: Simplicity; fewer inter-process communication overhead; easier to manage shared state
  • Consequence: Service becomes a large, complex class handling detection, filtering, clicking, and logging; harder to test and maintain

• Built-in update checker instead of relying on app store

  • Why: Faster deployment of patches; independent release cycle; no dependency on store review
  • Consequence: User must trust update source; adds network code

1. Keystore signing: Release builds require ../monkeytong.jks keystore + environment variables KEYSTORE_PASS, ALIAS_NAME, ALIAS_PASS, or manual gradle.properties. Remove signingConfig from build.gradle to build debug APK without it. 2. AccessibilityService permissions: Must be manually enabled by user in Settings → Accessibility after app install; no programmatic way to prompt. 3. WeChat version fragility: Red packet detection relies on hardcoded UI element names and notification text patterns—breaks silently when WeChat updates its UI or Chinese keywords. 4. Bugly crash reporting: Uses Tencent's closed-source library; crashes are auto-uploaded unless explicitly disabled. 5. Deprecated dev branch: README warns that dev branch is abandoned; only stable branch is maintained. 6. SDK target 25 is outdated: Modern Play Store requires targetSdkVersion ≥ 34 (as of 2024).

• AccessibilityService API — Core Android framework this plugin exploits to intercept notifications and UI events without root; essential to understand for maintaining/auditing the service.
• AccessibilityEvent and UiAutomation — HongbaoService listens for TYPE_NOTIFICATION_STATE_CHANGED and TYPE_WINDOW_CONTENT_CHANGED events; understanding event types is key to red packet detection.
• Intent-based Inter-Process Communication (IPC) — App uses intents to communicate between MainActivity and HongbaoService; understanding PendingIntent and broadcast receivers helps debug service lifecycle issues.
• Reverse Engineering & UI Element Introspection — The plugin must identify red packets by inspecting WeChat's UI hierarchy and notification text—brittle and requires regular reverse-engineering when WeChat updates.
• ProGuard Obfuscation & Code Signing — Build uses ProGuard for minification and manual keystore signing; important for secure distribution and preventing reverse-engineering of the APK.
• Preference Framework & SharedPreferences — Settings (delay, auto-reply, monitoring mode) persist via PreferenceFragment and SharedPreferences; understand for adding/modifying user-configurable features.
• Native Development Kit (NDK) & ABI Filtering — Build filters to armeabi and armeabi-v7a ABIs; useful for supporting older ARM devices, but unnecessarily limits modern 64-bit (arm64-v8a) support.

• XiaoMi/LuckyMoneyTool — The original Xiaomi MIUI 7 red packet tool that inspired this project; provides architectural reference for AccessibilityService-based automation on older Android versions.
• EthereumPhone/Accessibility — Another Android AccessibilityService example demonstrating event interception and UI automation patterns applicable to similar use cases.
• tencent-wechat/WeChat — Official WeChat Android repository (if open-sourced); would clarify current UI element names and notification format changes that break this plugin.
• android/architecture-samples — Google's reference architecture for modern Android apps; useful for modernizing WeChatLuckyMoney's outdated SDK targets and adding test infrastructure.
• square/okhttp — Standalone HTTP client that could replace Apache HTTP legacy dependency (useLibrary 'org.apache.http.legacy') in future updates.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Migrate deprecated Android Support Library to AndroidX

The project uses outdated com.android.support libraries (support-v4:25.4.0, appcompat-v7:25.4.0) which are no longer maintained. AndroidX is the modern replacement and is required for new Google Play submissions. This affects app/build.gradle and will require updates to AndroidManifest.xml imports across all activities and fragments.

• [ ] Update app/build.gradle: Replace compile 'com.android.support:*' with androidx equivalents (androidx.appcompat:appcompat:1.x.x, androidx.legacy:legacy-support-v4:1.x.x)
• [ ] Update gradle.properties to enable Jetifier and AndroidX (android.useAndroidX=true, android.enableJetifier=true)
• [ ] Update all import statements in app/src/main/java/xyz/monkeytong/hongbao/**/.java from android.support. to androidx.*
• [ ] Test against minSdkVersion 19 to ensure backward compatibility

Add ProGuard configuration documentation and optimize obfuscation rules

The app/proguard-rules.pro file exists but is referenced without explanation in README. Given this is a service-based app using reflection for WeChat integration (HongbaoService.java, HongbaoSignature.java), ProGuard rules need careful maintenance. Adding a PROGUARD_RULES.md file and auditing existing rules will prevent runtime crashes from aggressive obfuscation.

• [ ] Review app/proguard-rules.pro and identify rules needed for Bugly (com.tencent.bugly.*), AccessibilityService, and reflection-based WeChat API calls
• [ ] Create docs/PROGUARD_RULES.md documenting why each rule exists and classes that must not be obfuscated (e.g., HongbaoService callback methods)
• [ ] Add comments to app/proguard-rules.pro for maintainability
• [ ] Add a CI check (to .travis.yml) that builds with minifyEnabled=true to catch obfuscation issues early

Create unit tests for utility classes and add GitHub Actions CI

.travis.yml exists but only provides build output visibility. The util package (ConnectivityUtil.java, DownloadUtil.java, PowerUtil.java, HongbaoLogger.java) lacks test coverage. Adding unit tests + migrating from Travis CI to GitHub Actions (which is native to GitHub) will improve reliability and developer experience.

• [ ] Create app/src/test/java/xyz/monkeytong/hongbao/utils/ directory with unit tests for ConnectivityUtil.java, PowerUtil.java, and DownloadUtil.java using JUnit4 + Mockito
• [ ] Replace .travis.yml with .github/workflows/android-ci.yml using actions/setup-java@v3 and gradle actions
• [ ] Configure GitHub Actions to run tests on pull requests and main branch, with artifact uploads for APK builds
• [ ] Update README.md with GitHub Actions badge instead of Travis CI badge

• Add unit tests for HongbaoSignature.java keyword filtering logic (e.g., test that '专属红包' and '翻倍' are filtered correctly). Currently no test/ directory exists.
• Update targetSdkVersion and compileSdkVersion from 25–26 to 34+ to meet modern Play Store requirements and test compatibility with Android 14+.
• Document the exact WeChat UI element IDs and notification text patterns that HongbaoService watches for (currently implicit in code). Create a IMPLEMENTATION.md file listing tested WeChat versions and their resource IDs.

• Critical · Hardcoded Keystore Credentials in Build Configuration — app/build.gradle (signingConfigs.releaseConfig). The build.gradle file contains signing configuration that attempts to retrieve keystore passwords from environment variables or project properties. However, the encrypted keystore file 'monkeytong.jks.enc' is present in the repository. If the encryption is weak or the decryption key is compromised, an attacker could extract signing credentials used to sign the APK. Fix: Never commit encrypted keystores to the repository. Use a secure key management system (e.g., GitHub Secrets, CI/CD vault). Rotate the signing key immediately if the repository has been public.
• High · Outdated Dependencies with Known Vulnerabilities — app/build.gradle (dependencies section). The project uses 'com.tencent.bugly:crashreport_upgrade:latest.release' and 'com.tencent.bugly:nativecrashreport:latest.release' with 'latest.release' versions. This approach prevents reproducible builds and may pull in outdated/vulnerable versions. Additionally, com.android.support library version 25.4.0 is from 2017 and contains known security vulnerabilities. Fix: Pin all dependencies to specific versions. Upgrade to AndroidX (com.androidx.*) instead of deprecated com.android.support. Regularly scan for CVEs using tools like OWASP Dependency-Check or Gradle dependency vulnerability scanning.
• High · Legacy HTTP Library Usage — app/build.gradle (useLibrary declaration). The build configuration includes 'useLibrary org.apache.http.legacy', which indicates the application is using the deprecated Apache HTTP library. This library has known security vulnerabilities and is not recommended for modern Android applications. Fix: Migrate from Apache HTTP Client to OkHttp or HttpURLConnection. The legacy library should only be used if absolutely necessary for backward compatibility.
• High · Accessibility Service Misuse Risk — app/src/main/res/xml/accessible_service_config.xml, app/src/main/java/xyz/monkeytong/hongbao/services/HongbaoService.java. The app implements an AccessibilityService (referenced in accessible_service_config.xml) used to automatically interact with WeChat UI elements to capture red packets. This powerful API can be abused for malicious automation, phishing, or unauthorized access to user data. Fix: Ensure the app clearly discloses AccessibilityService usage to users. Implement strict input validation for accessibility events. Consider requesting explicit user consent before automation actions. Review compliance with Google Play Store policies on accessibility service usage.
• High · Low Minimum SDK Version — app/build.gradle (minSdkVersion 19). The app targets minSdkVersion 19 (Android 4.4.2 from 2013). This version lacks modern security features like StrongBoxKeystore, stricter SELinux policies, and updated TLS implementations. Users on these devices may be vulnerable to exploitation. Fix: Increase minSdkVersion to at least 21-24. If older device support is required, implement additional runtime security checks and use backward-compatible security libraries.
• Medium · ProGuard Configuration Review Required — app/build.gradle (buildTypes.release), app/proguard-rules.pro. The app enables minifyEnabled for release builds with ProGuard. While this provides some obfuscation, the proguard-rules.pro file content is not visible in the analysis. Improper ProGuard rules can leave sensitive code unobfuscated. Fix: Review proguard-rules.pro to ensure sensitive classes, methods, and strings are properly obfuscated. Use -keepnames sparingly. Consider using R8 (the modern replacement for ProGuard).
• Medium · WebView Usage Potential — app/src/main/java/xyz/monkeytong/hongbao/activities/WebViewActivity.java. The presence of WebViewActivity.java suggests the app loads web content. WebViews can be vulnerable to JavaScript injection, XSS, and insecure content loading if not properly configured. Fix: Ensure JavaScript is only enabled if necessary. Use setAllowFileAccess(false) and setAllowContentAccess(false). Validate all URLs loaded in WebView. Implement Content Security

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.