registry  /  @edictum/captatum  /  0.17.0

@edictum/captatum@0.17.0

Captatum — adaptive MCP web-fetch tool for AI agents: SSRF-safe, injection-safe reads with a provenance receipt on every call; renders JS only when needed, extracts structured data (JSON-LD/OG).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `captatum skill install --target claude|codex`.
Impact
Changes future agent guidance to recommend the package's web-fetch command.
Mechanism
Writes a bounded Captatum skill section to agent configuration files.
Rationale
The malicious scanner verdict is unsupported by source inspection. The explicit agent-config mutation is a real capability requiring a warning under the firewall policy, not a publish block.
Evidence
package.jsonbin/captatum.mjsdist/cli.jsdist/interfaces/mcp/skill.jsdist/infrastructure/http/dns.jsdist/infrastructure/llm/safety.jsdist/interfaces/mcp/format.js~/.codex/AGENTS.md~/.claude/skills/captatum/SKILL.md

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/interfaces/mcp/skill.js` writes to `~/.codex/AGENTS.md` and `~/.claude/skills/captatum/SKILL.md`.
  • `dist/cli.js` exposes this mutation through explicit `captatum skill install` only.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `bin/captatum.mjs` only dispatches the user-invoked CLI or stdio MCP bridge.
  • No credential harvesting, hidden shell execution, or exfiltration path was found.
  • `dist/infrastructure/http/dns.js` rejects loopback, private, and reserved resolved addresses.
  • `dist/interfaces/mcp/format.js` contains no bidi/invisible controls; the scanner Trojan-Source hint is false.
  • `dist/infrastructure/llm/safety.js` identifies sensitive URLs/content to prevent LLM egress.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 554 KB of source, external domains: jobs.ashbyhq.com, openrouter.ai

Source & flagged code

2 flagged · loading source
dist/infrastructure/llm/safety.jsView file
14const SENSITIVE_CREDENTIAL_PATTERNS = [ L15: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/i, L16: /\bgh[opsu]_[A-Za-z0-9]{20,}\b/, ... L46: * cleanly) but ALLOWS '[' — a literal '[' in a path before a credential query (e.g. L47: * https://files.example/a[draft?access_token=…) must not truncate the match. The IPv6 alternation L48: * owns '[' at the host position, so allowing it in a normal path is safe. Bounded vs ReDoS. */ ... L134: /** Redact signed/tokenized param values from a URL before display (INFOLEAK-1). HOST-AGNOSTIC L135: * (substring + URLSearchParams; never `new URL`, which throws on a malformed host + fails open). L136: * Normalizes HTML-escaped separators (&/&/&) + redacts BOTH the query AND the
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/infrastructure/llm/safety.jsView on unpkg · L14
dist/interfaces/mcp/format.jsView file
128contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/interfaces/mcp/format.jsView on unpkg · L128

Findings

1 Critical1 High3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
HighCloud Metadata Accessdist/infrastructure/llm/safety.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings