AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface was found. The package does collect service login credentials and token during user-invoked CLI login, then stores them locally in plaintext and sends them over HTTP to a hardcoded IP.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs stella login or interactive stella chat; bot.js only if manually executed.
Impact
Potential exposure of Stella service credentials/token due plaintext local storage and default HTTP transport, but no evidence of unrelated credential theft or covert exfiltration.
Mechanism
user-invoked service auth and LLM API client with insecure credential handling
Rationale
Static inspection shows risky credential handling, but the credential flow is user-invoked and aligned with the advertised Stella CLI authentication path rather than covert malware behavior. Because the default endpoint is unauthenticated HTTP to a hardcoded IP and plaintext secrets are stored, downgrade to warn rather than mark clean.
Evidence
package.jsonbin/stella.jsbot.js~/.stella/config.json
Network endpoints4
62.238.2.22:8787t.me/ofical_stellabot127.0.0.1:8788telegra.ph/Polzovatelskoe-soglashenie-06-26-600
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- bin/stella.js prompts for login/password and POSTs them to /api/v1/auth/login on default http://62.238.2.22:8787.
- bin/stella.js persists login, password, token, and user under ~/.stella/config.json in plaintext.
- bot.js contains a hardcoded Telegram bot token and starts polling if manually executed.
Evidence against
- package.json has no lifecycle scripts; install/import does not execute code automatically.
- Only declared bin is bin/stella.js; risky network calls require user running stella login/chat.
- No child_process, eval/vm/Function, native loading, persistence, destructive behavior, or project/AI-agent control-surface writes found.
- Network calls are aligned with the package's advertised CLI assistant/auth functionality; no harvesting of unrelated env/files observed.
- bot.js is not declared as bin/main and its HUB_URL defaults to localhost.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebot.jsView file
2L3: const BOT_TOKEN = process.env.BOT_TOKEN || "8757382004:AAF7A1_weZlvg4YtHGO1emYiFY4itYf2h0w"
L4: const HUB_URL = process.env.HUB_URL || "http://127.0.0.1:8788"
L5: const bot = new TelegramBot(BOT_TOKEN, { polling: true })
...
L19: if (token) headers["Authorization"] = `Bearer ${token}`
L20: return fetch(`${HUB_URL}${path}`, { method, headers, body: body ? JSON.stringify(body) : undefined }).then(r => r.json()).catch(e => ({ ok: false, error: e.message }))
L21: }
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
bot.jsView on unpkg · L2Findings
1 Critical2 Medium3 Low
CriticalCredential Exfiltrationbot.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings