registry  /  @moxxy/plugin-browser  /  0.28.0

@moxxy/plugin-browser@0.28.0

Browser capabilities for moxxy: web_fetch (zero-deps light tier) + browser_session (Playwright sidecar for JS-heavy / interactive pages).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 250 KB of source, external domains: 10.0.0.1, 10.0.0.5, 127.0.0.1, 169.254.169.254, 172.16.0.1, 192.168.1.1, 93.184.216.34, a.example.com, b.example.com, evil.example.com, example.com, intranet.example.com, nope.invalid, single.example, unquoted.example

Source & flagged code

3 flagged · loading source
dist/browser-session.jsView file
1import { spawn } from 'node:child_process'; L2: import { randomUUID } from 'node:crypto';
High
Child Process

Package source references child process execution.

dist/browser-session.jsView on unpkg · L1
dist/sidecar/install.jsView file
2* Playwright lifecycle: import, launch, and one-shot auto-install of the L3: * per-browser binary. Keeps the dispatch layer free of node:child_process L4: * + Playwright-import noise. ... L61: const onChunk = (chunk) => { L62: const text = chunk.toString('utf8'); L63: for (const line of text.split(/\r?\n/)) ... L67: }; L68: child.stdout.on('data', onChunk); L69: child.stderr.on('data', onChunk); ... L101: throw err; L102: process.stderr.write(`moxxy-browser: ${which} binary missing, running \`npx playwright install ${which}\` ` + L103: `(one-time, ~150MB). This may take a minute…\n`);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/sidecar/install.jsView on unpkg · L2
221return new Promise((resolve, reject) => { L222: const child = spawn('npx', ['playwright', 'install', which], { L223: stdio: ['ignore', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sidecar/install.jsView on unpkg · L221

Findings

4 High3 Medium3 Low
HighChild Processdist/browser-session.js
HighShell
HighCloud Metadata Accessdist/sidecar/install.js
HighRuntime Package Installdist/sidecar/install.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings