AI Security Review
scanned 2h ago · by lpm-firewall-aiAt runtime, the plugin retains pre-edit chat text in NodeBB storage and makes it available through concealed privileged routes. No install-time behavior, external exfiltration, or host-level file mutation is established.
Static reason
No blocking static signals were detected.
Trigger
A chat message is edited, then a privileged admin-chats user requests a hidden history route.
Impact
Privileged users can retrieve historical message content not presented in the normal UI, increasing chat-surveillance and retention risk.
Mechanism
Monkey-patches chat editing to persist prior content and serve it via concealed admin endpoints.
Rationale
Source inspection found a concealed, privileged chat-history retention feature but no concrete malware chain, exfiltration, install hook, or unauthorized control-surface mutation. Flag it for warning rather than block.
Evidence
library.jsclient.jspackage.jsonplugin.json
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- library.js wraps Messaging.editMessage and persists previous message content.
- library.js exposes unlinked /api/admin-chats/history/:mid and /admin-chats/history/:mid routes.
- Comments state edit history is deliberately omitted from UI and payloads.
- Hidden history is readable by privileged admin-chats accounts.
Evidence against
- package.json has no lifecycle scripts or dependencies.
- No child-process, eval, remote code loading, credential harvesting, or external network host appears in source.
- client.js fetches only same-origin NodeBB /api/admin-chats endpoints with CSRF credentials.
- History routes and lock mutations check NodeBB administrator or plugin privileges.
Behavioral surface
DynamicRequireFilesystemNetwork
NoLicense
Source & flagged code
1 flagged · loading sourceclient.jsView file
211L212: require(['forum/chats', 'forum/chats/messages'], function(Chats, ChatsMessages) {
L213: if (!Chats) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
client.jsView on unpkg · L211Findings
2 Medium2 Low
MediumDynamic Requireclient.js
MediumNetwork
LowFilesystem
LowNo License