AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior implements an MCP web-fetch/summarization tool with guarded outbound requests and optional operator-configured LLM/database integrations.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes the captatum CLI/MCP tool or hosted server with a URL
Impact
Fetches user-requested public URLs and may contact configured service endpoints; no credential harvesting, persistence, or unconsented install/import execution found.
Mechanism
guarded web fetch, optional browser render, optional LLM transform
Rationale
Static inspection shows a web-fetch MCP package whose risky primitives are user-invoked and aligned with its documented purpose, with SSRF, URL, render, and sensitive-content guards present. No lifecycle execution, credential/file harvesting, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation was found.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/application/use-cases/captatum-input.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/http/dns.jsdist/infrastructure/llm/openrouter.jsdist/interfaces/mcp/format.js./data/captatum.sqlite or CAPTATUM_SQLITE_PATH when hosted SQLite store is used
Network endpoints8
openrouter.ai/api/v1api.ashbyhq.comapi.lever.coapi.eu.lever.coboards-api.greenhouse.ioOLLAMA_BASE_URL (operator configured)TIDB_HOST (operator configured)CAPTATUM_BROWSER_CDP_ENDPOINT (loopback only)
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks
- bin/captatum.mjs only re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio
- Network code is package-aligned: guarded URL fetcher, optional OpenRouter/Ollama transforms, ATS APIs
- dist/application/use-cases/captatum-input.js restricts URLs to http/https, strips userinfo/fragments, upgrades http to https
- dist/infrastructure/http/dns.js and guarded-fetcher.js block private/reserved hosts and non-HTTP service ports
- dist/interfaces/mcp/format.js scanner Unicode hit is an intentional sanitizePrintable regex/comment, not hidden control-flow
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/interfaces/mcp/format.jsView file
89contains invisible/control Unicode U+200B (zero width space)
return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/interfaces/mcp/format.jsView on unpkg · L89Findings
1 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings