registry  /  @edictum/captatum  /  0.7.0

@edictum/captatum@0.7.0

Captatum — adaptive MCP web-fetch tool for AI agents: SSRF-safe, injection-safe reads with a provenance receipt on every call; renders JS only when needed, extracts structured data (JSON-LD/OG).

AI Security Review

scanned 4m ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and file-write primitives are package-aligned: user-invoked web fetching, optional LLM transformation, optional rendering, and explicit agent skill installation.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI invocation or MCP tool call by the user/client.
Impact
Fetches user-requested URLs and may write package-owned agent skill guidance only when the user runs the skill install command.
Mechanism
Guarded web fetch/MCP server with optional user-configured LLM provider and explicit skill installer.
Rationale
The risky primitives are activated by explicit CLI/MCP use and match the package’s documented purpose as a guarded web-fetch MCP tool. There is no lifecycle hook, credential harvesting, hidden persistence, remote code execution, or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsonbin/captatum.mjsdist/cli.jsdist/interfaces/mcp/stdio-bridge.jsdist/interfaces/mcp/skill.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/http/body.jsdist/infrastructure/llm/openrouter.jsdist/infrastructure/llm/http-json.jsdist/config.js~/.codex/AGENTS.md~/.claude/skills/captatum/SKILL.md./data/captatum.sqlite
Network endpoints6
openrouter.ai/api/v1boards-api.greenhouse.ioapi.lever.coapi.eu.lever.cojobs.ashbyhq.comapi.ashbyhq.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json defines no npm lifecycle scripts; only a bin entrypoint is exposed.
    • bin/captatum.mjs only re-execs local dist/cli.js with args or dist/interfaces/mcp/stdio-bridge.js without args.
    • dist/cli.js fetches a user-supplied URL or runs explicit `captatum skill install/print`; no install/import-time mutation.
    • dist/interfaces/mcp/skill.js writes Claude/Codex skill files only after explicit CLI `skill install`, with package-aligned fetch guidance.
    • dist/infrastructure/http/guarded-fetcher.js validates redirects, DNS/public addresses, blocked ports, timeouts, and byte caps for web fetches.
    • dist/infrastructure/llm/openrouter.js and http-json.js use configured provider endpoints and guard cleartext API-key egress.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 105 file(s), 394 KB of source, external domains: 127.0.0.1, chatgpt.com, claude.ai, jobs.ashbyhq.com, openrouter.ai

    Source & flagged code

    2 flagged · loading source
    dist/interfaces/mcp/format.jsView file
    112contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/interfaces/mcp/format.jsView on unpkg · L112
    dist/infrastructure/http/body.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @edictum/captatum@0.5.0 matchedIdentity = npm:QGVkaWN0dW0vY2FwdGF0dW0:0.5.0 similarity = 0.670 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/infrastructure/http/body.jsView on unpkg

    Findings

    1 Critical1 High3 Medium4 Low
    CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
    HighPrevious Version Dangerous Deltadist/infrastructure/http/body.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings