AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The plugin polls configured Weibo subscriptions, optionally performs Weibo QR login, and sends retrieved content through the host Koishi bot.
Static reason
One or more suspicious static signals were detected.
Trigger
Enabling the Koishi plugin with subscriptions or initiating its QR-login flow.
Impact
Weibo session cookies are handled for the plugin’s stated login and monitoring function; no transfer to unrelated endpoints was found.
Mechanism
Weibo API/browser cookie session management and notification delivery.
Rationale
Source inspection shows package-aligned Weibo polling, QR login, cookie refresh, and media handling. The scanner’s network and `https` dependency signals are explained by intended Weibo integration; no concrete malicious chain was found.
Evidence
package.jsonlib/index.jslib/services/cookie.jslib/services/login.jslib/services/message.jslib/services/weibo.jslib/services/weibo-super-topic.jslib/services/config.js
Network endpoints6
passport.weibo.com/weibo.com/www.weibo.com/ajax/statuses/mymblogm.weibo.cn/statuses/extendapi.weibo.com/2/users/show.jsonapi.weibo.cn/2/statuses/container_timeline_topicpage
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has only `prepublishOnly`; no install-time hook.
- `lib/index.js` activates only through Koishi plugin `apply()` and configured polling.
- `lib/services/cookie.js` obtains Weibo cookies for QR login/refresh and targets Weibo hosts.
- `lib/services/login.js` stores cookies in the declared `weibo_cookies` Koishi database table.
- `lib/services/message.js` writes downloaded media only to the OS temp directory.
- No shell execution, eval/vm, environment harvesting, or non-Weibo exfiltration found.
Behavioral surface
FilesystemNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: https
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings