AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked web-fetch/MCP tool with optional LLM summarization and an explicit skill installer, not install-time execution or credential theft.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `captatum`, starts the stdio MCP server, fetches a URL, or explicitly runs `captatum skill install`.
Impact
Fetches user-requested URLs and may call configured transform/provider endpoints; explicit skill install writes local agent guidance.
Mechanism
guarded web fetch and optional content transform
Rationale
Static inspection found risky primitives, but they are aligned with the advertised MCP web-fetch tool and require user-invoked runtime actions. The scanner's Trojan Source hint is an intentional sanitization regex in dist/interfaces/mcp/format.js, not hidden control-flow manipulation.
Evidence
package.jsonbin/captatum.mjsdist/cli.jsdist/interfaces/mcp/stdio-bridge.jsdist/interfaces/mcp/skill.jsdist/interfaces/mcp/format.jsdist/application/use-cases/captatum-input.jsdist/infrastructure/http/guarded-fetcher.jsdist/config.jsdist/infrastructure/llm/openrouter.js~/.codex/AGENTS.md~/.claude/skills/captatum/SKILL.md./data/captatum.sqlite
Network endpoints6
openrouter.ai/api/v1OLLAMA_BASE_URLboards-api.greenhouse.ioapi.lever.coapi.eu.lever.coapi.ashbyhq.com
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/captatum.mjs uses spawnSync to re-exec package CLI/MCP entrypoint.
- dist/interfaces/mcp/skill.js can write ~/.codex/AGENTS.md or ~/.claude/skills/captatum/SKILL.md when `captatum skill install` is explicitly run.
- dist/interfaces/mcp/format.js contains invisible/bidi-range characters only inside a sanitizing regex character class.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- bin/captatum.mjs only dispatches to dist/cli.js with args or stdio bridge with no args.
- dist/application/use-cases/captatum-input.js restricts target URLs to http/https, strips fragments, rejects userinfo and CRLF.
- dist/infrastructure/http/guarded-fetcher.js resolves public addresses and blocks sensitive service ports before requests.
- dist/config.js reads provider/database env vars but does not harvest or exfiltrate arbitrary environment data.
- Network use is package-aligned: web fetch, optional OpenRouter/Ollama transforms, hosted OAuth/store paths.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/interfaces/mcp/format.jsView file
89contains invisible/control Unicode U+200B (zero width space)
return value.replace(/[\x00-\x1f\x7f<U+200B>-<U+200F><U+202A>-<U+202E>]/g, "");
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/interfaces/mcp/format.jsView on unpkg · L89Findings
1 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/interfaces/mcp/format.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings