AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Preinstall only checks the local Node.js major version; runtime networking implements the package’s WhatsApp Web client behavior.
Decision evidence
public snapshot- `lib/Utils/messages-media.js` invokes `ffmpeg` for video thumbnails.
- `lib/index.js` prints a promotional banner on import.
- `engine-requirements.js` only enforces Node.js 20+ during preinstall.
- No install hook writes files, runs network calls, or mutates agent configuration.
- `lib/Utils/messages.js` passes generated temporary paths to thumbnail processing.
- Network code targets WhatsApp services and an explicit Baileys version helper.
- `lib/Utils/use-multi-file-auth-state.js` confines persistence to the caller-supplied auth folder.
- No credential/environment harvesting, eval, remote payload loader, or persistence mechanism found.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a high-severity secret pattern.
lib/WABinary/constants.jsView on unpkg · L600Google API key in lib/WABinary/constants.js
lib/WABinary/constants.jsView on unpkg · L600Package source references weak cryptographic algorithms.
lib/Utils/validate-connection.jsView on unpkg · L107Package ships non-JavaScript build or shell helper files.
WAProto/GenerateStatics.shView on unpkgPackage contains source files above the static scanner size ceiling.
WAProto/index.jsView on unpkg