registry  /  hablas-tools  /  8.1.0

hablas-tools@8.1.0

HABLAS — Username Intelligence Suite (TikTok + WhatsApp) — Windows/macOS/Linux

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time or import-time attack behavior was found. A user who launches the CLI and selects a tool can run large-scale TikTok or WhatsApp username-availability checks; WhatsApp checks use QR-authenticated session credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `hablas-tools`, passes the local prompt, and selects a checker workflow.
Impact
May enable automated account/username enumeration and platform-abusive scanning, but no credential exfiltration, remote payload execution, or stealth persistence was confirmed.
Mechanism
Authenticated username enumeration with proxy-assisted TikTok scraping and WhatsApp MEX queries.
Rationale
The source supports potentially abusive large-scale username enumeration, so it warrants a warning. It is not malicious under the firewall boundary because execution is user-invoked and no concrete theft, stealth, payload, or install-time mutation behavior was found.
Evidence
package.jsonbin/cli.jsshared/config.jstools/tiktok/checker.jstools/tiktok/proxy.jstools/tiktok/notify.jstools/whatsapp/auth.jstools/whatsapp/menu.jsREADME.mddata/config.jsonauth_info/data/
Network endpoints5
www.tiktok.com/@${username}s.whatsapp.netapi.proxyscrape.comproxylist.geonode.comapi.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `tools/whatsapp/menu.js` offers exhaustive scans of millions of generated usernames.
  • `tools/whatsapp/auth.js` QR-authenticates an account, persists Baileys credentials, and queries WhatsApp MEX username availability.
  • `tools/tiktok/checker.js` automates profile checks with proxy rotation; `tools/tiktok/proxy.js` fetches public proxies.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/cli.js` only loads tool modules after an interactive password-gated menu choice.
  • `shared/config.js` writes configuration locally; the apparent password is a static local gate, not harvested data.
  • `tools/tiktok/notify.js` sends only availability messages to user-configured Discord or Telegram destinations.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 137 KB of source, external domains: api.proxyscrape.com, api.telegram.org, hablas.tech, proxylist.geonode.com, www.tiktok.com

Source & flagged code

1 flagged · loading source
shared/config.jsView file
64patternName = generic_password severity = medium line = 64 matchedText = password...re',
Medium
Secret Pattern

Package contains a possible secret pattern.

shared/config.jsView on unpkg · L64

Findings

3 Medium4 Low
MediumSecret Patternshared/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings