AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or import-time attack behavior was found. A user who launches the CLI and selects a tool can run large-scale TikTok or WhatsApp username-availability checks; WhatsApp checks use QR-authenticated session credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `hablas-tools`, passes the local prompt, and selects a checker workflow.
Impact
May enable automated account/username enumeration and platform-abusive scanning, but no credential exfiltration, remote payload execution, or stealth persistence was confirmed.
Mechanism
Authenticated username enumeration with proxy-assisted TikTok scraping and WhatsApp MEX queries.
Rationale
The source supports potentially abusive large-scale username enumeration, so it warrants a warning. It is not malicious under the firewall boundary because execution is user-invoked and no concrete theft, stealth, payload, or install-time mutation behavior was found.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/proxy.jstools/tiktok/notify.jstools/whatsapp/auth.jstools/whatsapp/menu.jsREADME.mddata/config.jsonauth_info/data/
Network endpoints5
www.tiktok.com/@${username}s.whatsapp.netapi.proxyscrape.comproxylist.geonode.comapi.telegram.org
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `tools/whatsapp/menu.js` offers exhaustive scans of millions of generated usernames.
- `tools/whatsapp/auth.js` QR-authenticates an account, persists Baileys credentials, and queries WhatsApp MEX username availability.
- `tools/tiktok/checker.js` automates profile checks with proxy rotation; `tools/tiktok/proxy.js` fetches public proxies.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `bin/cli.js` only loads tool modules after an interactive password-gated menu choice.
- `shared/config.js` writes configuration locally; the apparent password is a static local gate, not harvested data.
- `tools/tiktok/notify.js` sends only availability messages to user-configured Discord or Telegram destinations.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceshared/config.jsView file
64patternName = generic_password
severity = medium
line = 64
matchedText = password...re',
Medium
Findings
3 Medium4 Low
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings