registry  /  hablas-tools  /  7.1.4

hablas-tools@7.1.4

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an explicitly launched interactive username-checking CLI; its network traffic and optional notifications are package-aligned and user-configured.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `hablas-tools`/`ht`, authenticates, then selects TikTok or WhatsApp checks.
Impact
Checks supplied usernames and writes local configuration, results, and optional WhatsApp authentication state.
Mechanism
User-invoked TikTok page checks, WhatsApp protocol queries, optional proxy retrieval, and optional notifications.
Rationale
Static source inspection shows user-invoked, package-aligned username checking rather than covert execution or exfiltration. The scanner signals correspond to explicit networking, local configuration, and optional user-configured notification features.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/notify.jstools/whatsapp/auth.jsdata/config.jsondata/results/auth_info/
Network endpoints5
www.tiktok.comapi.proxyscrape.comproxylist.geonode.comapi.telegram.orgs.whatsapp.net

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `tools/tiktok/notify.js` can post availability messages to user-configured Discord or Telegram destinations.
  • `tools/tiktok/proxy.js` fetches public proxy lists and tests them against TikTok.
  • `tools/whatsapp/auth.js` persists WhatsApp session credentials after an explicit QR login.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • `bin/cli.js` only loads TikTok or WhatsApp features after an interactive user menu choice.
  • `shared/config.js` stores notification tokens locally and does not transmit them itself.
  • `tools/tiktok/notify.js` sends only generated availability status to user-supplied endpoints.
  • No source uses shell execution, eval/vm, dynamic payload loading, broad file harvesting, or AI-agent configuration writes.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 115 KB of source, external domains: api.proxyscrape.com, api.telegram.org, hablas.tech, proxylist.geonode.com, www.tiktok.com

Source & flagged code

2 flagged · loading source
shared/config.jsView file
64patternName = generic_password severity = medium line = 64 matchedText = password...re',
Medium
Secret Pattern

Package contains a possible secret pattern.

shared/config.jsView on unpkg · L64
tools/tiktok/menu.jsView file
matchType = previous_version_dangerous_delta matchedPackage = hablas-tools@7.1.3 matchedIdentity = npm:aGFibGFzLXRvb2xz:7.1.3 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tools/tiktok/menu.jsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltatools/tiktok/menu.js
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings