registry  /  @botmux-ai/plugin-agent-chrome  /  0.2.0

@botmux-ai/plugin-agent-chrome@0.2.0

Agent Chrome Stack plugin for botmux.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

When the Botmux service starts, the broker binds its HTTP/WebSocket server on all interfaces. Any reachable client can choose a token, open the unauthenticated DevTools proxy, and control the shared Chrome instance.

Static reason
One or more suspicious static signals were detected.
Trigger
Starting the Agent Chrome service on a network-reachable host.
Impact
Remote browser control; access to authenticated browser-session data and actions.
Mechanism
Unauthenticated remote Chrome DevTools and session-control broker.
Rationale
The package is not malicious by intent and has no install-time attack behavior, but its runtime broker contains a critical unauthenticated network exposure. Flag it as a vulnerability warning rather than a publish block.
Evidence
package.jsondist/bin/broker.jsdist/service/runner.jsdist/mcp/server.jsdist/vendor/chrome-devtools-mcp/src/bin/check-latest-version.js
Network endpoints3
127.0.0.1:9223127.0.0.1:9300ws://<broker-host>:9300/s/<token>/devtools/

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/bin/broker.js` listens without a host argument.
  • `dist/bin/broker.js` accepts any `/s/<token>/devtools/` WebSocket upgrade.
  • Broker proxies Chrome DevTools and exposes view/session routes without authentication.
  • No package lifecycle hook runs at consumer install time.
Evidence against
  • `package.json` only has `prepublishOnly`.
  • Service runner invokes package-local scripts and `127.0.0.1` health checks.
  • Vendored update check targets npm registry; no remote payload execution found.
  • Observed shell calls support the documented Chrome/X11 stack.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 2.24 MB of source, external domains: 127.0.0.1, chromestatus.com, chromeuxreport.googleapis.com, chromium.googlesource.com, chromiumdash.appspot.com, crbug.com, datatracker.ietf.org, developer.chrome.com, developer.mozilla.org, developers.google.com, example.com, fedidcg.github.io, ffmpeg.org, github.com, html.spec.whatwg.org, play.googleapis.com, policies.google.com, privacycg.github.io, privacysandbox.com, react.dev, registry.npmjs.org, urlpattern.spec.whatwg.org, web.dev, wicg.github.io, www.chromium.org, www.ffmpeg.org, www.ietf.org, www.rfc-editor.org
Oversized source lightweight scan
dist/vendor/chrome-devtools-mcp/src/third_party/index.js6.52 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoShellHighEntropyStringsUrlStringschromestatus.comchromium.googlesource.comchromiumdash.appspot.comcrbug.comdatatracker.ietf.orgdeveloper.chrome.comdeveloper.mozilla.orgdevelopers.google.comexample.comfedidcg.github.iogithub.comhtml.spec.whatwg.orgprivacycg.github.ioprivacysandbox.comweb.devwicg.github.iowww.chromium.orgwww.ietf.orgwww.rfc-editor.org
dist/vendor/chrome-devtools-mcp/src/third_party/lighthouse-devtools-mcp-bundle.js8.08 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsgithub.com

Source & flagged code

9 flagged · loading source
dist/vendor/chrome-devtools-mcp/src/tools/performance.jsView file
179patternName = google_api_key severity = high line = 179 matchedText = cruxMana...k');
High
High Secret

Package contains a high-severity secret pattern.

dist/vendor/chrome-devtools-mcp/src/tools/performance.jsView on unpkg · L179
179patternName = google_api_key severity = high line = 179 matchedText = cruxMana...k');
High
Secret Pattern

Google API key in dist/vendor/chrome-devtools-mcp/src/tools/performance.js

dist/vendor/chrome-devtools-mcp/src/tools/performance.jsView on unpkg · L179
dist/bin/broker.jsView file
3810var net = require("net"); L3811: var { execSync, spawn } = require("child_process"); L3812: var WebSocket = require_ws();
High
Child Process

Package source references child process execution.

dist/bin/broker.jsView on unpkg · L3810
3804// bin/broker.js L3805: var http = require("http"); L3806: var url = require("url"); ... L3810: var net = require("net"); L3811: var { execSync, spawn } = require("child_process"); L3812: var WebSocket = require_ws(); ... L3814: var CFG = { L3815: display: process.env.ACS_DISPLAY || ":77", L3816: chromePort: parseInt(process.env.ACS_CHROME_PORT || "9223", 10),
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/broker.jsView on unpkg · L3804
26kStatusCode: /* @__PURE__ */ Symbol("status-code"), L27: kWebSocket: /* @__PURE__ */ Symbol("websocket"), L28: NOOP: () => { ... L79: } else { L80: buf = Buffer.from(data); L81: toBuffer.readOnly = false; ... L91: }; L92: if (!process.env.WS_NO_BUFFER_UTIL) { L93: try { ... L143: * L144: * @private L145: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin/broker.jsView on unpkg · L26
dist/vendor/chrome-devtools-mcp/src/third_party/devtools-formatter-worker.jsView file
8376} L8377: eval(val) { L8378: const sign = val < 0 ? -1 : 1.0;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/vendor/chrome-devtools-mcp/src/third_party/devtools-formatter-worker.jsView on unpkg · L8376
dist/vendor/chrome-devtools-mcp/src/utils/check-for-updates.jsView file
5Cross-file remote execution chain: dist/vendor/chrome-devtools-mcp/src/utils/check-for-updates.js spawns dist/dashboard/index.js; helper contains network access plus dynamic code execution. L5: */ L6: import child_process from 'node:child_process'; L7: import fs from 'node:fs/promises'; ... L22: export async function checkForUpdates(message) { L23: if (isChecking || process.env['CHROME_DEVTOOLS_MCP_NO_UPDATE_CHECKS']) { L24: return; ... L26: isChecking = true; L27: const cachePath = path.join(os.homedir(), '.cache', 'chrome-devtools-mcp', 'latest.json'); L28: let cachedVersion; ... L32: const data = await fs.readFile(cachePath, 'utf8'); L33: cachedVersion = JSON.parse(data).version; L34: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/vendor/chrome-devtools-mcp/src/utils/check-for-updates.jsView on unpkg · L5
dist/bin/start-display.shView file
path = dist/bin/start-display.sh kind = build_helper sizeBytes = 1593 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/start-display.shView on unpkg
dist/vendor/chrome-devtools-mcp/src/third_party/lighthouse-devtools-mcp-bundle.jsView file
path = dist/vendor/chrome-devtools-mcp/src/third_party/lighthouse-devtools-mcp-bundle.js kind = oversized_source_file sizeBytes = 8475771 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/vendor/chrome-devtools-mcp/src/third_party/lighthouse-devtools-mcp-bundle.jsView on unpkg

Findings

7 High4 Medium7 Low
HighHigh Secretdist/vendor/chrome-devtools-mcp/src/tools/performance.js
HighChild Processdist/bin/broker.js
HighShell
HighSame File Env Network Executiondist/bin/broker.js
HighCross File Remote Execution Contextdist/vendor/chrome-devtools-mcp/src/utils/check-for-updates.js
HighOversized Source Filedist/vendor/chrome-devtools-mcp/src/third_party/lighthouse-devtools-mcp-bundle.js
HighSecret Patterndist/vendor/chrome-devtools-mcp/src/tools/performance.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/bin/start-display.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/vendor/chrome-devtools-mcp/src/third_party/devtools-formatter-worker.js
LowWeak Cryptodist/bin/broker.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings