| Risk | Description | Likelihood |
|------|-------------|------------|
| Hidden back‑door | Malicious code may create an undocumented admin account or remote shell (eval(base64_decode(...)))). | High (observed in many community‑released nulled packs) |
| Malware dropper | The package can include a separate PHP file that downloads ransomware or crypto‑miner payloads. | Medium‑High |
| Obfuscated code | Use of gzinflate, str_rot13, or preg_replace with the /e/ modifier makes static analysis difficult. | High |
| License bypass | License check removal does not guarantee functional stability; missing files may cause runtime errors. | Medium |
| No support / updates | New vulnerabilities discovered after 2017 will remain exploitable. | Certain |
| Sub‑Feature | Description | Configurable Options |
|------------|-------------|----------------------|
| Realtime Text Chat | WebSocket‑based duplex channel delivering < 50 ms latency for private, group, and public chats. | • Transport: WebSocket (fallback to Long‑Polling/Server‑Sent Events). • Message size limit: 2 KB (adjustable up to 10 KB). |
| Message Persistence | All messages are stored in MySQL (or MariaDB) with optional archiving to a separate arrowchat_archive table after 30 days. | • Retention period (days). • Archive table prefix. |
| Read/Delivered Receipts | Per‑message flags for “sent”, “delivered”, and “read” with timestamps. | • Enable/disable receipts globally or per‑user. |
| Typing Indicators | Instant “X is typing…” notification via a lightweight typing event. | • Indicator style (text, animated dots). |
| Message Reactions | Emoji reactions (👍, ❤️, 😂, etc.) attached to any message; counts are stored and displayed in real time. | • Custom emoji packs. • Max reactions per message (default 5). |
| Message Editing & Deleting | Users can edit or delete their own messages within a configurable window (default 5 minutes). | • Edit window length. • Soft‑delete (strikethrough) vs. hard‑delete. |
| Rich‑Media Embeds | Automatic link preview (title, description, thumbnail) powered by Open Graph parsing. | • Enable/disable per‑channel. • Whitelist domains for security. |
| File Transfer | Direct upload of images, videos, PDFs, ZIPs (up to 20 MB per file). | • Allowed MIME types. • Virus‑scan integration (ClamAV). |
| Sub‑Feature | Description | Configurable Options |
|------------|-------------|----------------------|
| End‑to‑End Encryption (E2EE) | Optional client‑side encryption using the Signal Protocol for private messages. | • Enable per‑conversation. |
| CSRF & XSS Protection | Token‑based request validation; automatic HTML sanitization (HTMLPurifier). | • Allowed HTML tags. |
| Rate Limiting | Prevent spamming via per‑IP and per‑user limits on message sends, file uploads, and channel creation. | • Limits (e.g., 10 msg/sec). |
| Content Moderation | Integrated profanity filter (language‑aware) and image moderation via third‑party APIs (Microsoft Content Moderator, Google Vision). | • Sensitivity level, whitelist/blacklist. |
| Audit Logs | Immutable log of admin actions (room deletions, user bans, config changes). | • Log retention (days). |
| GDPR / CCPA Tools | Export of personal data, deletion requests, and consent management UI. | • Data retention policies. |
| Secure File Handling | All uploads scanned for malware, stored outside web root, served via signed URLs with expiration. | • Max upload size, allowed extensions. |
| Two‑Factor Authentication (2FA) | TOTP (Google Authenticator) and backup codes for admin accounts. | • Enforce 2FA for privileged users. |