registry  /  koishi-plugin-weibo-notify  /  1.0.31

koishi-plugin-weibo-notify@1.0.31

微博帖子更新推送插件,用于获取指定微博用户的最新帖子推送到指定群聊

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The plugin polls configured Weibo subscriptions, optionally performs Weibo QR login, and sends retrieved content through the host Koishi bot.

Static reason
One or more suspicious static signals were detected.
Trigger
Enabling the Koishi plugin with subscriptions or initiating its QR-login flow.
Impact
Weibo session cookies are handled for the plugin’s stated login and monitoring function; no transfer to unrelated endpoints was found.
Mechanism
Weibo API/browser cookie session management and notification delivery.
Rationale
Source inspection shows package-aligned Weibo polling, QR login, cookie refresh, and media handling. The scanner’s network and `https` dependency signals are explained by intended Weibo integration; no concrete malicious chain was found.
Evidence
package.jsonlib/index.jslib/services/cookie.jslib/services/login.jslib/services/message.jslib/services/weibo.jslib/services/weibo-super-topic.jslib/services/config.js
Network endpoints6
passport.weibo.com/weibo.com/www.weibo.com/ajax/statuses/mymblogm.weibo.cn/statuses/extendapi.weibo.com/2/users/show.jsonapi.weibo.cn/2/statuses/container_timeline_topicpage

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only `prepublishOnly`; no install-time hook.
    • `lib/index.js` activates only through Koishi plugin `apply()` and configured polling.
    • `lib/services/cookie.js` obtains Weibo cookies for QR login/refresh and targets Weibo hosts.
    • `lib/services/login.js` stores cookies in the declared `weibo_cookies` Koishi database table.
    • `lib/services/message.js` writes downloaded media only to the OS temp directory.
    • No shell execution, eval/vm, environment harvesting, or non-Weibo exfiltration found.
    Behavioral surface
    Source
    FilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 10 file(s), 97.4 KB of source, external domains: api.weibo.cn, api.weibo.com, m.weibo.cn, passport.weibo.com, weibo.com, www.weibo.com

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: https
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High1 Medium5 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings