AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an MCP web-fetch/extraction tool whose network, optional browser render, LLM provider, and OAuth store behavior are package-aligned and user/runtime configured.
Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User starts the captatum CLI/MCP server and calls the tool with a URL.
Impact
Fetches requested public web content and may call configured providers; no install-time execution, credential harvesting, persistence, destructive action, or AI-agent control-surface mutation found.
Mechanism
User-invoked guarded web fetch, optional render, optional transform.
Rationale
Source inspection shows risky primitives, but they implement the advertised MCP web-fetch product with SSRF guards, bounded fetch/render behavior, and no lifecycle or import-time attack path. Scanner findings appear noisy or package-aligned rather than evidence of malicious behavior.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/application/use-cases/captatum.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/http/dns.jsdist/infrastructure/render/playwright-renderer.jsdist/infrastructure/llm/safety.jsdist/infrastructure/llm/openrouter.jsdist/infrastructure/ashby/list-adapter.js
Network endpoints5
openrouter.ai/api/v1api.ashbyhq.com/posting-api/job-board/{slug}?includeCompensation=trueboards-api.greenhouse.io/v1/boards/{token}/jobsapi.lever.co/v0/postings/{site}?mode=jsonapi.eu.lever.co/v0/postings/{site}?mode=json
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Runtime network capability is intentional: user-supplied URL fetcher plus ATS/OpenRouter/Ollama integrations.
- bin/captatum.mjs uses child_process.spawnSync to launch the compiled MCP stdio bridge.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- bin/captatum.mjs only re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio.
- dist/infrastructure/http/guarded-fetcher.js and dns.js enforce URL normalization, DNS checks, private-address rejection, byte/time/redirect caps.
- dist/infrastructure/render/playwright-renderer.js only renders when allowRender is requested; blocks downloads/websockets and launches Chromium with empty env.
- dist/infrastructure/llm/safety.js gates sensitive fetched content away from hosted LLM providers.
- dist/interfaces/mcp/format.js scanner Unicode hit is in a sanitizer regex/comment context, not hidden control flow.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/interfaces/mcp/format.jsView file
89contains invisible/control Unicode U+200B (zero width space)
return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/interfaces/mcp/format.jsView on unpkg · L89dist/infrastructure/ashby/list-adapter.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @edictum/captatum@0.3.0
matchedIdentity = npm:QGVkaWN0dW0vY2FwdGF0dW0:0.3.0
similarity = 0.938
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/infrastructure/ashby/list-adapter.jsView on unpkgFindings
2 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
CriticalPrevious Version Dangerous Deltadist/infrastructure/ashby/list-adapter.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings