registry  /  @edictum/captatum  /  0.3.0

@edictum/captatum@0.3.0

Captatum — adaptive MCP web-fetch tool for AI agents: fetch any URL, render JS when needed, return clean structured content + provenance.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked MCP web-fetch/render tool with bounded, package-aligned outbound requests and optional configured LLM endpoints.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the captatum bin or invokes the MCP captatum tool.
Impact
Fetches caller-supplied http(s) URLs and may call configured transform providers; no credential harvesting, persistence, destructive action, or exfiltration was identified.
Mechanism
Guarded URL fetch with optional summarization/rendering
Rationale
Static source inspection shows a legitimate MCP URL fetcher with expected child_process re-exec for the CLI, guarded outbound fetching, and optional user-configured LLM/render features. The suspicious primitives are aligned with the package purpose and no concrete unconsented attack behavior is present.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/interfaces/mcp/server.jsdist/interfaces/mcp/format.jsdist/application/use-cases/captatum.jsdist/application/use-cases/captatum-input.jsdist/infrastructure/http/dns.jsdist/infrastructure/http/request.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/llm/openrouter.jsdist/infrastructure/render/playwright-renderer.js
Network endpoints1
openrouter.ai/api/v1

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only bin captatum is exposed.
    • bin/captatum.mjs only checks Node >=24 and re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio.
    • MCP entrypoint starts a stdio MCP URL-fetch tool, not an import-time payload or network listener.
    • Network behavior is package-aligned: guarded user-requested URL fetches, optional OpenRouter/Ollama transforms, optional Playwright render.
    • SSRF controls reject private/local hosts and blocked service ports in dist/infrastructure/http/dns.js and request.js.
    • Scanner Trojan Source hint is noisy: inspected format.js contains sanitization for bidi/zero-width chars and no bidi/invisible chars were found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 90 file(s), 294 KB of source, external domains: jobs.ashbyhq.com, openrouter.ai

    Source & flagged code

    1 flagged · loading source
    dist/interfaces/mcp/format.jsView file
    55contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/interfaces/mcp/format.jsView on unpkg · L55

    Findings

    1 Critical3 Medium4 Low
    CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings