registry  /  @edictum/captatum  /  0.2.2

@edictum/captatum@0.2.2

Captatum — adaptive MCP web-fetch tool for AI agents: fetch any URL, render JS when needed, return clean structured content + provenance.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked MCP web-fetch/transform tool whose network and LLM calls are aligned with its advertised function.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the captatum CLI or starts the hosted server/MCP tool and requests URL fetching or transformation.
Impact
Fetches user-requested URLs and may call configured LLM/model endpoints; no credential theft or unconsented install/import behavior found.
Mechanism
MCP stdio/server web fetcher with optional browser rendering and LLM transformation
Rationale
Static inspection found risky primitives, but they are user-invoked and package-aligned: a CLI launches an MCP bridge, fetches requested web content through guarded networking, and optionally uses configured LLM/browser services. The scanner's Trojan Source hint maps to a regex intended to strip invisible/bidi characters, with no hidden execution or exfiltration behavior observed.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/interfaces/mcp/format.jsdist/config.jsdist/infrastructure/wreq/requester.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/llm/openrouter.js
Network endpoints3
openrouter.ai/api/v1localhost:9222jobs.ashbyhq.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/captatum.mjs uses child_process.spawnSync to re-exec the package MCP stdio bridge when the CLI is invoked.
  • dist/config.js reads env vars including API keys, OAuth, TiDB, and render settings for explicit runtime configuration.
  • dist/infrastructure/llm/openrouter.js can call https://openrouter.ai/api/v1 when configured for LLM transforms.
  • dist/interfaces/mcp/format.js contains invisible/bidi-range characters only inside a sanitizing regex and comment, not hidden control flow.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and only exposes a captatum CLI bin.
  • dist/interfaces/mcp/stdio-bridge.js starts an MCP stdio server; no import-time exfiltration or filesystem mutation found.
  • Network fetching is package-aligned: README/manifest describe an MCP web-fetch tool, and GuardedHttpFetcher validates URLs, public DNS, redirects, ports, timeout, and body caps.
  • Env vars are read as configuration; no code found that harvests or transmits arbitrary environment variables.
  • No persistence, destructive commands, AI-agent control-surface writes, or dropped payloads observed in inspected package files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 269 KB of source, external domains: jobs.ashbyhq.com, openrouter.ai

Source & flagged code

1 flagged · loading source
dist/interfaces/mcp/format.jsView file
55contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/interfaces/mcp/format.jsView on unpkg · L55

Findings

1 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings