registry  /  @edictum/captatum  /  0.4.1

@edictum/captatum@0.4.1

Captatum — adaptive MCP web-fetch tool for AI agents: fetch any URL, render JS when needed, return clean structured content + provenance.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior implements an MCP web-fetch/summarization tool with guarded outbound requests and optional operator-configured LLM/database integrations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes the captatum CLI/MCP tool or hosted server with a URL
Impact
Fetches user-requested public URLs and may contact configured service endpoints; no credential harvesting, persistence, or unconsented install/import execution found.
Mechanism
guarded web fetch, optional browser render, optional LLM transform
Rationale
Static inspection shows a web-fetch MCP package whose risky primitives are user-invoked and aligned with its documented purpose, with SSRF, URL, render, and sensitive-content guards present. No lifecycle execution, credential/file harvesting, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation was found.
Evidence
package.jsonbin/captatum.mjsdist/interfaces/mcp/stdio-bridge.jsdist/application/use-cases/captatum-input.jsdist/infrastructure/http/guarded-fetcher.jsdist/infrastructure/http/dns.jsdist/infrastructure/llm/openrouter.jsdist/interfaces/mcp/format.js./data/captatum.sqlite or CAPTATUM_SQLITE_PATH when hosted SQLite store is used
Network endpoints8
openrouter.ai/api/v1api.ashbyhq.comapi.lever.coapi.eu.lever.coboards-api.greenhouse.ioOLLAMA_BASE_URL (operator configured)TIDB_HOST (operator configured)CAPTATUM_BROWSER_CDP_ENDPOINT (loopback only)

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare lifecycle hooks
    • bin/captatum.mjs only re-execs dist/interfaces/mcp/stdio-bridge.js with inherited stdio
    • Network code is package-aligned: guarded URL fetcher, optional OpenRouter/Ollama transforms, ATS APIs
    • dist/application/use-cases/captatum-input.js restricts URLs to http/https, strips userinfo/fragments, upgrades http to https
    • dist/infrastructure/http/dns.js and guarded-fetcher.js block private/reserved hosts and non-HTTP service ports
    • dist/interfaces/mcp/format.js scanner Unicode hit is an intentional sanitizePrintable regex/comment, not hidden control-flow
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 98 file(s), 332 KB of source, external domains: 127.0.0.1, chatgpt.com, claude.ai, jobs.ashbyhq.com, openrouter.ai

    Source & flagged code

    1 flagged · loading source
    dist/interfaces/mcp/format.jsView file
    89contains invisible/control Unicode U+200B (zero width space) return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/interfaces/mcp/format.jsView on unpkg · L89

    Findings

    1 Critical3 Medium4 Low
    CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings