registry  /  @rahulrc48/ryoto  /  1.1.7

@rahulrc48/ryoto@1.1.7

Interactive System Maintenance CLI tool

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package is a Windows system maintenance CLI with powerful user-invoked local diagnostics. The unresolved risk is Wi-Fi credential handling: a generated QR HTML embeds the password in a third-party image URL and opens it in the browser.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs ryoto /wifi, opts to generate a Wi-Fi sharing QR code, and the generated HTML is opened.
Impact
Saved Wi-Fi password may be disclosed to api.qrserver.com during QR image loading.
Mechanism
user-invoked Wi-Fi credential retrieval and third-party QR image URL generation
Rationale
This is not a publish-blocking malicious package because sensitive actions are explicit CLI features and there are no lifecycle hooks or stealth exfiltration. The Wi-Fi QR flow still creates a real credential disclosure risk to a third-party service, so a warning is appropriate.
Evidence
package.jsonindex.jscommands/wifi.jscommands/network.jslib/helpers.jslib/shell.jsconfig.js~/.ryotorc~/.ryoto/holding~/.ryoto/logs/last-error.log~/Desktop/Ryoto-WiFi-QR-<ssid>.html
Network endpoints4
registry.npmjs.orgapi.ipify.orgspeed.cloudflare.com/__down?bytes=10485760api.qrserver.com/v1/create-qr-code/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • commands/wifi.js can retrieve saved Windows Wi-Fi passwords with netsh key=clear after user confirmation.
  • commands/wifi.js generates an HTML QR page whose img src sends SSID/password data to https://api.qrserver.com.
  • index.js imports all command modules and lib/helpers.js performs an import-time npm update check to registry.npmjs.org.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Wi-Fi password reveal and QR generation are interactive, user-invoked CLI actions, not install-time behavior.
  • lib/shell.js only spawns local PowerShell commands and masks key=clear in error logs.
  • Network commands use package-aligned diagnostic endpoints api.ipify.org and speed.cloudflare.com.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 173 KB of source, external domains: api.ipify.org, api.qrserver.com, speed.cloudflare.com

Source & flagged code

3 flagged · loading source
commands/duplicates.jsView file
59let dupPath = await context.askQuestion('Enter folder path to scan (Press Enter for current directory): '); L60: if (!dupPath) dupPath = process.cwd(); L61:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

commands/duplicates.jsView on unpkg · L59
install.batView file
path = install.bat kind = build_helper sizeBytes = 1477 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.batView on unpkg
commands/wifi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rahulrc48/ryoto@1.1.6 matchedIdentity = npm:QHJhaHVscmM0OC9yeW90bw:1.1.6 similarity = 0.741 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

commands/wifi.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltacommands/wifi.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.bat
MediumStructural Risk Force Deep Review
LowWeak Cryptocommands/duplicates.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings