AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package is a Windows system maintenance CLI with powerful user-invoked local diagnostics. The unresolved risk is Wi-Fi credential handling: a generated QR HTML embeds the password in a third-party image URL and opens it in the browser.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs ryoto /wifi, opts to generate a Wi-Fi sharing QR code, and the generated HTML is opened.
Impact
Saved Wi-Fi password may be disclosed to api.qrserver.com during QR image loading.
Mechanism
user-invoked Wi-Fi credential retrieval and third-party QR image URL generation
Rationale
This is not a publish-blocking malicious package because sensitive actions are explicit CLI features and there are no lifecycle hooks or stealth exfiltration. The Wi-Fi QR flow still creates a real credential disclosure risk to a third-party service, so a warning is appropriate.
Evidence
package.jsonindex.jscommands/wifi.jscommands/network.jslib/helpers.jslib/shell.jsconfig.js~/.ryotorc~/.ryoto/holding~/.ryoto/logs/last-error.log~/Desktop/Ryoto-WiFi-QR-<ssid>.html
Network endpoints4
registry.npmjs.orgapi.ipify.orgspeed.cloudflare.com/__down?bytes=10485760api.qrserver.com/v1/create-qr-code/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- commands/wifi.js can retrieve saved Windows Wi-Fi passwords with netsh key=clear after user confirmation.
- commands/wifi.js generates an HTML QR page whose img src sends SSID/password data to https://api.qrserver.com.
- index.js imports all command modules and lib/helpers.js performs an import-time npm update check to registry.npmjs.org.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Wi-Fi password reveal and QR generation are interactive, user-invoked CLI actions, not install-time behavior.
- lib/shell.js only spawns local PowerShell commands and masks key=clear in error logs.
- Network commands use package-aligned diagnostic endpoints api.ipify.org and speed.cloudflare.com.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcecommands/duplicates.jsView file
59let dupPath = await context.askQuestion('Enter folder path to scan (Press Enter for current directory): ');
L60: if (!dupPath) dupPath = process.cwd();
L61:
Low
Weak Crypto
Package source references weak cryptographic algorithms.
commands/duplicates.jsView on unpkg · L59install.batView file
•path = install.bat
kind = build_helper
sizeBytes = 1477
magicHex = [redacted]
Medium
commands/wifi.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @rahulrc48/ryoto@1.1.6
matchedIdentity = npm:QHJhaHVscmM0OC9yeW90bw:1.1.6
similarity = 0.741
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
commands/wifi.jsView on unpkgFindings
1 High4 Medium4 Low
HighPrevious Version Dangerous Deltacommands/wifi.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.bat
MediumStructural Risk Force Deep Review
LowWeak Cryptocommands/duplicates.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings