registry  /  ani-auto  /  2.0.0

ani-auto@2.0.0

automatic anime episode downloader

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. Risky primitives are package-aligned downloader/web UI behavior, with a notable privacy concern from hardcoded Telegram bot notifications.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs setup/download/daemon/web/cf-bypass commands and opts into related features.
Impact
Potential privacy disclosure of anime download status through the bundled Telegram bot if notifications are enabled; no credential harvesting/exfiltration confirmed.
Mechanism
user-invoked anime downloader, notifier, updater, daemon, and Cloudflare-cookie helper
Rationale
Static inspection found no lifecycle hook, stealth persistence, broad credential collection, or concrete exfiltration chain. The hardcoded Telegram bot and animepahe cookie reader are concerning but user-configured/package-aligned features rather than confirmed malicious behavior.
Evidence
package.jsonsrc/cli.jssrc/notify.jssrc/config.jssrc/anilist.jssrc/engine.jssrc/scraper.jssrc/api/cf-bypass.jscookiereader.pyanime/models/playModel.js~/.config/ani-auto/config.json~/.config/systemd/user/ani-auto.service<configured outputDir>/<anime title>/<episode>.mp4/tmp/ani-auto-poster.jpg
Network endpoints5
api.telegram.org/bot<hardcoded-token>/sendPhotoapi.telegram.org/bot<hardcoded-token>/sendMessagegraphql.anilist.coregistry.npmjs.org/ani-auto/latestanimepahe.pw

Decision evidence

public snapshot
AI called this Suspicious at 76.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/notify.js uses a hardcoded Telegram bot token for user-configured notifications, so notification contents go through a bot controlled by that token holder.
  • cookiereader.py can read browser cookies filtered to animepahe/pahe domains, but only via explicit cf-bypass helper paths.
Evidence against
  • package.json defines no preinstall/install/postinstall lifecycle hooks; execution is via bin/scripts user commands.
  • src/notify.js sends download status/anime titles to Telegram only when telegramChatId is configured and telegramNotify is not false.
  • src/config.js stores AniList tokens locally under ~/.config/ani-auto/config.json; src/anilist.js sends them only as Bearer auth to graphql.anilist.co.
  • anime/models/playModel.js VM execution is bounded and used to extract m3u8 URLs from scraped player scripts, with no Node globals in the sandbox.
  • src/api/cf-bypass.js/cookiereader.py are explicit Cloudflare bypass helpers for animepahe cookies and do not post cookies to an external endpoint.
  • src/cli.js update/daemon/editor child_process use is user-invoked CLI functionality, not install-time stealth behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 65 file(s), 333 KB of source, external domains: anilist.co, animepahe.pw, aor-rex-anikuro-api.hf.space, api.telegram.org, github.com, graphql.anilist.co, i.animepahe.pw, kwik.cx, registry.npmjs.org, www.google.com

Source & flagged code

6 flagged · loading source
anime/models/playModel.jsView file
50L51: if (!script.includes('eval(')) continue; L52:
High
Eval

Package source references dynamic code evaluation.

anime/models/playModel.jsView on unpkg · L50
50L51: if (!script.includes('eval(')) continue; L52: ... L162: L163: const fullText = $element.text().trim(); L164: const normalized = fullText
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

anime/models/playModel.jsView on unpkg · L50
anime/utils/diskCache.jsView file
6// Cache directory — use /tmp for ephemeral storage (HF Spaces compatible) L7: const CACHE_DIR = process.env.DISK_CACHE_DIR || path.join("/tmp", "anikuro-cache"); L8: ... L51: const raw = await fs.readFile(filePath, "utf8"); L52: const entry = JSON.parse(raw); L53:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

anime/utils/diskCache.jsView on unpkg · L6
src/notify.jsView file
2L3: const { execSync } = require('child_process'); L4: const fetch = require('node-fetch'); ... L10: if (!photoUrl) return null; L11: const res = await fetch(photoUrl, { timeout: 10000 }); L12: if (!res.ok) { ... L27: for (const [key, value] of Object.entries(fields)) { L28: chunks.push(Buffer.from( L29: `--${boundary}\r\n` + L30: `Content-Disposition: form-data; name="${key}"\r\n\r\n` + L31: `${value}\r\n` ... L198: async function notifyDaemonStart(intervalMinutes, downloadingCount) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/notify.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> src/cli.js -> src/daemon.js -> src/notify.js L2: L3: const { execSync } = require('child_process'); L4: const fetch = require('node-fetch'); ... L10: if (!photoUrl) return null; L11: const res = await fetch(photoUrl, { timeout: 10000 }); L12: if (!res.ok) { ... L27: for (const [key, value] of Object.entries(fields)) { L28: chunks.push(Buffer.from( L29: `--${boundary}\r\n` + L30: `Content-Disposition: form-data; name="${key}"\r\n\r\n` + L31: `${value}\r\n` ... L198: async function notifyDaemonStart(intervalMinutes, downloadingCount) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/notify.jsView on unpkg · L2
cookiereader.pyView file
path = cookiereader.py kind = build_helper sizeBytes = 10327 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cookiereader.pyView on unpkg

Findings

2 Critical1 High5 Medium6 Low
CriticalCredential Exfiltrationsrc/notify.js
CriticalTrigger Reachable Dangerous Capabilitysrc/notify.js
HighEvalanime/models/playModel.js
MediumUnsafe Vm Contextanime/models/playModel.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercookiereader.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoanime/utils/diskCache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License