AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an explicitly launched interactive username-checking CLI; its network traffic and optional notifications are package-aligned and user-configured.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `hablas-tools`/`ht`, authenticates, then selects TikTok or WhatsApp checks.
Impact
Checks supplied usernames and writes local configuration, results, and optional WhatsApp authentication state.
Mechanism
User-invoked TikTok page checks, WhatsApp protocol queries, optional proxy retrieval, and optional notifications.
Rationale
Static source inspection shows user-invoked, package-aligned username checking rather than covert execution or exfiltration. The scanner signals correspond to explicit networking, local configuration, and optional user-configured notification features.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/notify.jstools/whatsapp/auth.jsdata/config.jsondata/results/auth_info/
Network endpoints5
www.tiktok.comapi.proxyscrape.comproxylist.geonode.comapi.telegram.orgs.whatsapp.net
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `tools/tiktok/notify.js` can post availability messages to user-configured Discord or Telegram destinations.
- `tools/tiktok/proxy.js` fetches public proxy lists and tests them against TikTok.
- `tools/whatsapp/auth.js` persists WhatsApp session credentials after an explicit QR login.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- `bin/cli.js` only loads TikTok or WhatsApp features after an interactive user menu choice.
- `shared/config.js` stores notification tokens locally and does not transmit them itself.
- `tools/tiktok/notify.js` sends only generated availability status to user-supplied endpoints.
- No source uses shell execution, eval/vm, dynamic payload loading, broad file harvesting, or AI-agent configuration writes.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceshared/config.jsView file
64patternName = generic_password
severity = medium
line = 64
matchedText = password...re',
Medium
tools/tiktok/menu.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = hablas-tools@7.1.3
matchedIdentity = npm:aGFibGFzLXRvb2xz:7.1.3
similarity = 0.875
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
tools/tiktok/menu.jsView on unpkgFindings
1 High3 Medium4 Low
HighPrevious Version Dangerous Deltatools/tiktok/menu.js
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings