registry  /  website-api  /  1.2.4

website-api@1.2.4

CLI and library to query website private APIs with your real logged-in Chrome session

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Sensitive primitives are user-invoked and aligned with the package's stated purpose of querying private website APIs using the user's Chrome session.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs CLI/library site queries or explicit ext commands.
Impact
Can access authenticated website data when the user invokes a site, but no hidden lifecycle execution, credential exfiltration, persistence, or destructive behavior was found.
Mechanism
Cookie-aware website API client with optional browser automation and verified extension install flow.
Rationale
Static inspection shows potentially sensitive behavior, but it is explicit product functionality: authenticated site queries, user-selected output files, and confirmed extension installs with integrity checks. Scanner hits for dynamic imports, weak SHA-1, and secrets are explained by optional extension loading, Google SAPISID auth compatibility, and public web/API keys.
Evidence
package.jsondist/bin/cli.jsdist/src/website-api.jsdist/src/core/registry.jsdist/src/core/loader.jsdist/src/capabilities/cookies.jsdist/src/capabilities/http.jsdist/src/sites/maps.google.com/api/index.jsdist/src/sites/voice.google.com/api/voice-helpers.jsdist/src/sites/voice.google.com/api/index.js
Network endpoints6
website-api-list.lgnat.comraw.githubusercontent.comwww.google.com/mapsclients6.google.com/voice/v1/voiceclientvoice.google.comapi.census.gov/data/2022/acs/acs5

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin is user-invoked CLI only.
    • dist/src/website-api.js import-time behavior only loads local .env from package root; no network or code execution.
    • dist/src/capabilities/cookies.js reads Chrome cookies/passwords only when site capabilities are invoked, matching package purpose.
    • dist/src/core/registry.js downloads extension files only via explicit ext commands, verifies sha256, and writes to user config extension dirs.
    • dist/src/sites/maps.google.com/api/index.js bundles a Census API key documented as public/default; overlay fetches Census/Google Maps data for a user-invoked command.
    • dist/src/sites/voice.google.com/api/voice-helpers.js hardcoded Google web API key is labeled public and used for Google Voice endpoints, not exfiltration.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 44 file(s), 266 KB of source, external domains: api.census.gov, api.e-zpassny.com, claude.ai, clients6.google.com, cursor.com, gemini.google.com, mysmartenergy.nj.pseg.com, ollama.com, raw.githubusercontent.com, secure.chase.com, tigerweb.geo.census.gov, voice.google.com, website-api-list.lgnat.com, www.e-zpassny.com, www.google.com, www.perplexity.ai, www.zillow.com

    Source & flagged code

    8 flagged · loading source
    dist/src/sites/voice.google.com/api/voice-helpers.jsView file
    12patternName = google_api_key severity = high line = 12 matchedText = export c...llow
    High
    High Secret

    Package contains a high-severity secret pattern.

    dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L12
    12patternName = google_api_key severity = high line = 12 matchedText = export c...llow
    High
    Secret Pattern

    Google API key in dist/src/sites/voice.google.com/api/voice-helpers.js

    dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L12
    2/** L3: * Google Voice's web app fetches data from a private JSON+protobuf API: L4: * POST https://clients6.google.com/voice/v1/voiceclient/<method>?alt=protojson&key=<API_KEY> L5: * ... L96: "x-javascript-user-agent": "google-api-javascript-client/1.1.0", L97: "x-goog-encode-response-if-executable": "base64", L98: Cookie: cookieHeader,
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L2
    dist/src/core/context.jsView file
    135browser, L136: async eval(fn, arg) { L137: const page = await browser();
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/src/core/context.jsView on unpkg · L135
    dist/src/core/registry.jsView file
    308try { L309: mod = await import(pathToFileURL(filePath).href); L310: }
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/src/core/registry.jsView on unpkg · L308
    dist/src/sites/maps.google.com/api/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = website-api@1.2.2 matchedIdentity = npm:d2Vic2l0ZS1hcGk:1.2.2 similarity = 0.884 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/src/sites/maps.google.com/api/index.jsView on unpkg
    dist/src/capabilities/login/login-helper.jsView file
    154patternName = generic_password severity = medium line = 154 matchedText = console....'`);
    Medium
    Secret Pattern

    Hardcoded password in dist/src/capabilities/login/login-helper.js

    dist/src/capabilities/login/login-helper.jsView on unpkg · L154
    dist/src/sites/voice.google.com/api/voice-helpers.d.tsView file
    12patternName = google_api_key severity = high line = 12 matchedText = export d...Bg";
    High
    Secret Pattern

    Google API key in dist/src/sites/voice.google.com/api/voice-helpers.d.ts

    dist/src/sites/voice.google.com/api/voice-helpers.d.tsView on unpkg · L12

    Findings

    1 Critical3 High4 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/src/sites/maps.google.com/api/index.js
    HighHigh Secretdist/src/sites/voice.google.com/api/voice-helpers.js
    HighSecret Patterndist/src/sites/voice.google.com/api/voice-helpers.js
    HighSecret Patterndist/src/sites/voice.google.com/api/voice-helpers.d.ts
    MediumDynamic Requiredist/src/core/registry.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/src/capabilities/login/login-helper.js
    LowScripts Present
    LowEvaldist/src/core/context.js
    LowWeak Cryptodist/src/sites/voice.google.com/api/voice-helpers.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings