AI Security Review
scanned 2h ago · by lpm-firewall-aiThe CLI provides user-confirmed automation for TikTok and WhatsApp username availability checks. It fetches public proxies, contacts target services, and can notify configured Discord or Telegram destinations. No install-time or covert credential-exfiltration path is established.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs hablas-tools, authenticates, selects a tool, and confirms a scan.
Impact
Can automate account/username reconnaissance and persist WhatsApp session credentials locally.
Mechanism
Interactive bulk username enumeration with proxy rotation and QR-authenticated WhatsApp queries.
Rationale
Source confirms a user-invoked bulk enumeration capability with proxy support and persisted WhatsApp authentication, which warrants a warning. The scanner's generic network/env/secret hints do not establish malware: there are no lifecycle hooks or concrete covert attack chain.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/proxy.jstools/tiktok/notify.jstools/whatsapp/auth.jstools/whatsapp/menu.jsdata/config.jsondata/proxies.txtresults/logs/auth_info/tools/whatsapp/state.js
Network endpoints4
www.tiktok.com/@${username}api.proxyscrape.com/v2/proxylist.geonode.com/api/proxy-listapi.telegram.org/bot${token}/sendMessage
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit menus start bulk TikTok and WhatsApp username scans after confirmation.
- TikTok scanner can rotate fetched public proxies and issue profile requests.
- WhatsApp tool persists QR-auth session material in configurable auth_info/.
Evidence against
- package.json has no preinstall, install, postinstall, or prepare hook.
- bin/cli.js only loads scanning modules after an interactive menu choice.
- No child-process, eval, VM, dynamic code loading, or AI-agent config access found.
- Telegram/Discord requests require user-supplied notification configuration.
- File writes are limited to package data, scan results, logs, proxies, and WhatsApp auth state.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceshared/config.jsView file
64patternName = generic_password
severity = medium
line = 64
matchedText = password...re',
Medium
Findings
3 Medium4 Low
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings