registry  /  nodebb-plugin-admin-chats  /  3.4.0

nodebb-plugin-admin-chats@3.4.0

A plugin that allows the administrator to view and manage user chats.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

At runtime, the plugin retains pre-edit chat text in NodeBB storage and makes it available through concealed privileged routes. No install-time behavior, external exfiltration, or host-level file mutation is established.

Static reason
No blocking static signals were detected.
Trigger
A chat message is edited, then a privileged admin-chats user requests a hidden history route.
Impact
Privileged users can retrieve historical message content not presented in the normal UI, increasing chat-surveillance and retention risk.
Mechanism
Monkey-patches chat editing to persist prior content and serve it via concealed admin endpoints.
Rationale
Source inspection found a concealed, privileged chat-history retention feature but no concrete malware chain, exfiltration, install hook, or unauthorized control-surface mutation. Flag it for warning rather than block.
Evidence
library.jsclient.jspackage.jsonplugin.json

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • library.js wraps Messaging.editMessage and persists previous message content.
  • library.js exposes unlinked /api/admin-chats/history/:mid and /admin-chats/history/:mid routes.
  • Comments state edit history is deliberately omitted from UI and payloads.
  • Hidden history is readable by privileged admin-chats accounts.
Evidence against
  • package.json has no lifecycle scripts or dependencies.
  • No child-process, eval, remote code loading, credential harvesting, or external network host appears in source.
  • client.js fetches only same-origin NodeBB /api/admin-chats endpoints with CSRF credentials.
  • History routes and lock mutations check NodeBB administrator or plugin privileges.
Behavioral surface
Source
DynamicRequireFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 82.0 KB of source

Source & flagged code

1 flagged · loading source
client.jsView file
211L212: require(['forum/chats', 'forum/chats/messages'], function(Chats, ChatsMessages) { L213: if (!Chats) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

client.jsView on unpkg · L211

Findings

2 Medium2 Low
MediumDynamic Requireclient.js
MediumNetwork
LowFilesystem
LowNo License