registry  /  @edictum/captatum  /  0.4.0

@edictum/captatum@0.4.0

Captatum — adaptive MCP web-fetch tool for AI agents: fetch any URL, render JS when needed, return clean structured content + provenance.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an MCP web-fetch/extraction tool whose network, optional browser render, LLM provider, and OAuth store behavior are package-aligned and user/runtime configured.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User starts the captatum CLI/MCP server and calls the tool with a URL.
Impact
Fetches requested public web content and may call configured providers; no install-time execution, credential harvesting, persistence, destructive action, or AI-agent control-surface mutation found.
Mechanism
User-invoked guarded web fetch, optional render, optional transform.
Rationale
Source inspection shows risky primitives, but they implement the advertised MCP web-fetch product with SSRF guards, bounded fetch/render behavior, and no lifecycle or import-time attack path. Scanner findings appear noisy or package-aligned rather than evidence of malicious behavior.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/application/use-cases/captatum.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/http/dns.jsdist/infrastructure/render/playwright-renderer.jsdist/infrastructure/llm/safety.jsdist/infrastructure/llm/openrouter.jsdist/infrastructure/ashby/list-adapter.js
Network endpoints5
openrouter.ai/api/v1api.ashbyhq.com/posting-api/job-board/{slug}?includeCompensation=trueboards-api.greenhouse.io/v1/boards/{token}/jobsapi.lever.co/v0/postings/{site}?mode=jsonapi.eu.lever.co/v0/postings/{site}?mode=json

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Runtime network capability is intentional: user-supplied URL fetcher plus ATS/OpenRouter/Ollama integrations.
  • bin/captatum.mjs uses child_process.spawnSync to launch the compiled MCP stdio bridge.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • bin/captatum.mjs only re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio.
  • dist/infrastructure/http/guarded-fetcher.js and dns.js enforce URL normalization, DNS checks, private-address rejection, byte/time/redirect caps.
  • dist/infrastructure/render/playwright-renderer.js only renders when allowRender is requested; blocks downloads/websockets and launches Chromium with empty env.
  • dist/infrastructure/llm/safety.js gates sensitive fetched content away from hosted LLM providers.
  • dist/interfaces/mcp/format.js scanner Unicode hit is in a sanitizer regex/comment context, not hidden control flow.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 330 KB of source, external domains: jobs.ashbyhq.com, openrouter.ai

Source & flagged code

2 flagged · loading source
dist/interfaces/mcp/format.jsView file
89contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/interfaces/mcp/format.jsView on unpkg · L89
dist/infrastructure/ashby/list-adapter.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @edictum/captatum@0.3.0 matchedIdentity = npm:QGVkaWN0dW0vY2FwdGF0dW0:0.3.0 similarity = 0.938 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/infrastructure/ashby/list-adapter.jsView on unpkg

Findings

2 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
CriticalPrevious Version Dangerous Deltadist/infrastructure/ashby/list-adapter.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings