registry  /  @ahtmljs/cli  /  1.1.0

@ahtmljs/cli@1.1.0

AHTML auditor CLI — npx @ahtmljs/cli doctor <url> walks the AHTML discovery chain (.well-known + /ahtml + /llms.txt + /ahtml/mcp.json + /ahtml/openapi.json) on a live site and reports what's well-formed, what's missing, and what AI clients can already con

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `ahtml mcp <url>` and an attached MCP client invokes its tools.
Impact
An attached agent/client could use the tool to request arbitrary URLs or invoke actions advertised by the selected site.
Mechanism
MCP-exposed HTTP fetch and action POST proxy.
Rationale
Source inspection supports a warning for the explicit MCP proxy's broad network/action capability, not a malware block. The package has no lifecycle scripts and no confirmed unconsented control-surface mutation.
Evidence
package.jsondist/cli.jsdist/fetch.jsdist/doctor.jsdist/commands/mcp.jsdist/commands/init.jsdist/commands/llms.js
Network endpoints2
<user-supplied URL><selected-site origin>

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/mcp.js` exposes an MCP `fetch_page` tool that fetches caller-supplied URLs for non-AHTML targets.
  • `dist/commands/mcp.js` exposes `invoke_action`, posting MCP-provided arguments to action URLs declared by the target site.
  • `dist/commands/init.js` can modify a user-selected project and its `package.json` only through explicit `ahtml init` execution.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • All network activity is reached through explicit CLI commands; imports only define command handlers.
  • No child-process, shell, eval/vm, credential harvesting, hidden persistence, or foreign AI-agent configuration writes were found.
  • `dist/commands/llms.js` writes only when the user passes `--out`.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 95.1 KB of source, external domains: badge.ahtmljs.com, github.com, index.ahtmljs.com, schema.org, shop.example.com

Source & flagged code

3 flagged · loading source
dist/commands/mcp.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/mcp.js` exposes an MCP `fetch_page` tool that fetches caller-supplied URLs for non-AHTML targets.

dist/commands/mcp.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/commands/mcp.js` exposes `invoke_action`, posting MCP-provided arguments to action URLs declared by the target site.

dist/commands/mcp.jsView on unpkg
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/init.js` can modify a user-selected project and its `package.json` only through explicit `ahtml init` execution.

package.jsonView on unpkg

Findings

5 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/commands/mcp.js
MediumAi Review Evidencedist/commands/mcp.js
MediumAi Review Evidencepackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings