IntegrationQ: Will my account be at risk when I share my ltoken and ltuid?
A: If you've read the alert above, your account will only be at risk if you share your tokens to people with malicious intents. Although it's really hard to do, if they somehow bypass the Captcha system that hoyolab uses (very hard to do with a bot), there is a chance that they can impersonate you with posting content on hoyolabs.
Q: Is it possible that my account can be stolen with the cookie?
A: (Quoted from Thesadru - Owner of genshinstats library.)
I would like to be completely clear in this aspect, I do no have any way to access the cookies you use to login. If you give your cookie to someone it is indeed possible to get into your account but that doesn't yet mean they can do anything with it. The most probable thing a hacker would do is just do a password request, but since version 1.3 they will need to confirm this request with an email. That means they would need to know what your email is and have a way to get into it, which I doubt they can. Since version 1.5 there is also 2FA which will make it completely impossible to steal your account.
(View in github)
Q: Is my private information at risk when I share my ltoken and ltuid to someone?
A: They can of course access your data like email, phone number and real name, however those are censored so unless they already have an idea what those could be that data is useless to them. For example, tofuboy@gmail.com is seen as t*****y@gmail.com. Same applies to all of the mentioned account information.
I actually don't know how to do this but the person who made the library for genshinstats stated this.
Q: How hard is it to manipulate someone else's account using their ltoken and ltuid on hoyolabs?
A: BoonBot uses genshinstats library (see here). This library does not have any features that allows manipulation of the hoyolab account directly. Therefore I do not hold any power in anyone's account even with ltoken and ltuid.
Thesadru is the person who made genshinstats. View genshinstats repository here.
I wanted to include a very transparent FAQ because I do not want to be accused of anything when something weird happens. Sharing your token to other people is VERY dangerous. Please be very careful. Same goes when you use tavernbot and their Expo cookies method. This is very much the same but with less steps. Although they claim that they do not use the cookies for malicious intents, your cookies are still stored inside a database that the owners can read and record for future use.
Quoted from TavernBot Expo Description:
By Clicking Get a cookie, you're agree to share your personal token to us (we use RSA Encryption to encrypt your cookie, and you token also encrypted on our database and decrypted once while fetching data only, you can revoke your token anytime using unreg command, or using ephemeral token method, instruction on our discrod server https://s.id/dtavern)
Although they say it is encrypted, they can very much decrypt it themselves if they feel like it. It only makes it safe from hackers that try to break into their database, however it does not keep it safe from the people that owns the database that knows how to decrypt your tokens.
I have read the source code of the tavernbot expo, using the expo itself is safe and does not store your cookies immediately, however the source code for the bot itself on discord is not available, so I do not know what happens next once you use /register <cookie>. All I know is that your cookie is stored in a database after you register in the discord bot. However since they are not reliant on genshinstats library, they can very much do all of the things I mentioned above easily without having any troubles that I would have run into.