AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. At runtime, the plugin polls Weibo, performs optional QR-cookie login/refresh, and sends configured post updates through Koishi.
Static reason
One or more suspicious static signals were detected.
Trigger
User enables the Koishi plugin and configures subscriptions or QR login.
Impact
Uses user-authorized Weibo cookies to retrieve monitored content; temporary media files may be created for delivery.
Mechanism
Weibo API/browser polling with Koishi database cookie storage and message delivery.
Rationale
Source implements the advertised Koishi Weibo-monitoring and QR-login workflow. Network and cookie handling are package-aligned, and inspection found no install-time execution or concrete exfiltration/persistence chain.
Evidence
package.jsonlib/index.jslib/services/login.jslib/services/cookie.jslib/services/message.jslib/services/weibo.jslib/services/weibo-super-topic.jsreadme.md
Network endpoints6
weibo.com/www.weibo.com/ajax/statuses/mymblogm.weibo.cn/api.weibo.com/2/users/show.jsonapi.weibo.cnpassport.weibo.com/
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime requests include Weibo authentication cookies.
- Media buffers are written to OS temp paths.
- Plugin exposes local Koishi login/status routes.
Evidence against
- `package.json` has only `prepublishOnly`, not install hooks.
- No child-process, shell, eval, VM, dynamic loading, or env harvesting found.
- Network endpoints are Weibo/passport hosts aligned with post monitoring and QR login.
- Cookie persistence is limited to the declared `weibo_cookies` Koishi database model.
- No foreign AI-agent configuration, broad persistence, or destructive file behavior found.
Behavioral surface
FilesystemNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: https
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings