AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package includes a user-invoked Turnstile bypass helper, which is a dangerous dual-use capability, but the shipped code references missing package.json profile.baseurl and provides no concrete host.
Decision evidence
public snapshot- package.json declares preinstall hook node ./engine-requirements.js
- lib/Function/Tools/bypass.js exports BypassTurnstileMin for Turnstile bypass via fetch
- lib/Function/Download/tiktok.js exports a TikTok downloader via fetch
- lib/Utils/messages-media.js uses child_process.exec for ffmpeg thumbnail generation on user media paths
- engine-requirements.js only checks Node major version and exits if <20; no file/network access
- lib/index.js import-time behavior is banner printing and exports; no exfiltration or payload loading found
- Network use is aligned with WhatsApp client/media behavior or explicit helper functions
- Scanner secret hits in WABinary/constants.js are protocol token strings, not embedded credentials
- No AI-agent control-surface writes, persistence, credential harvesting, or install-time mutation found
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a high-severity secret pattern.
lib/WABinary/constants.jsView on unpkg · L602Google API key in lib/WABinary/constants.js
lib/WABinary/constants.jsView on unpkg · L602Package source references a known benign dynamic code generation pattern.
lib/Utils/messages-media.jsView on unpkg · L200Package source references weak cryptographic algorithms.
lib/Utils/crypto.jsView on unpkg · L4Package contains source files above the static scanner size ceiling.
WAProto/HistorySync/HistorySync.jsView on unpkg