AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked MCP web-fetch/render tool with bounded, package-aligned outbound requests and optional configured LLM endpoints.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the captatum bin or invokes the MCP captatum tool.
Impact
Fetches caller-supplied http(s) URLs and may call configured transform providers; no credential harvesting, persistence, destructive action, or exfiltration was identified.
Mechanism
Guarded URL fetch with optional summarization/rendering
Rationale
Static source inspection shows a legitimate MCP URL fetcher with expected child_process re-exec for the CLI, guarded outbound fetching, and optional user-configured LLM/render features. The suspicious primitives are aligned with the package purpose and no concrete unconsented attack behavior is present.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/interfaces/mcp/server.jsdist/interfaces/mcp/format.jsdist/application/use-cases/captatum.jsdist/application/use-cases/captatum-input.jsdist/infrastructure/http/dns.jsdist/infrastructure/http/request.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/llm/openrouter.jsdist/infrastructure/render/playwright-renderer.js
Network endpoints1
openrouter.ai/api/v1
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin captatum is exposed.
- bin/captatum.mjs only checks Node >=24 and re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio.
- MCP entrypoint starts a stdio MCP URL-fetch tool, not an import-time payload or network listener.
- Network behavior is package-aligned: guarded user-requested URL fetches, optional OpenRouter/Ollama transforms, optional Playwright render.
- SSRF controls reject private/local hosts and blocked service ports in dist/infrastructure/http/dns.js and request.js.
- Scanner Trojan Source hint is noisy: inspected format.js contains sanitization for bidi/zero-width chars and no bidi/invisible chars were found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/interfaces/mcp/format.jsView file
55contains invisible/control Unicode U+200B (zero width space)
return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/interfaces/mcp/format.jsView on unpkg · L55Findings
1 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings