registry  /  @plumpslabs/fennec-core  /  1.12.0

@plumpslabs/fennec-core@1.12.0

Fennec MCP server — AI-native browser, terminal, and process observability

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package exposes intentionally powerful MCP browser and process-observability tools only after runtime use.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit MCP tool invocation or programmatic server start.
Impact
Can inspect browser session data or start configured allowlisted local tools when invoked by its host.
Mechanism
Local browser/CDP observability and allowlisted developer-process management.
Rationale
Source inspection shows a browser/process MCP core with expected, user-invoked capabilities rather than install-time behavior or a hidden execution/exfiltration chain. Static child-process, environment, and network signals map to documented local observability functions.
Evidence
package.jsonREADME.mddist/index.jsdist/index.d.ts.fennec/tracked.json./.fennec/sessions
Network endpoints2
127.0.0.1:9222/json/version127.0.0.1:${input.port}/json

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime MCP tool can spawn allowlisted developer commands.
  • Runtime browser tools can evaluate page JavaScript and access browser storage.
  • Process tracking persists managed-process metadata under `.fennec`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • No remote endpoints were found; runtime HTTP probes target localhost CDP only.
  • Process spawning requires an explicit `process_spawn` tool call and uses an allowlist.
  • No AI-agent configuration paths or foreign control-surface writes were found.
  • No credential harvesting or outbound exfiltration path was identified.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 534 KB of source, external domains: 127.0.0.1

Source & flagged code

2 flagged · loading source
dist/index.jsView file
4340// src/process/PortDetector.ts L4341: import { execSync } from "child_process"; L4342: var PortDetector = class {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4340
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution. L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; L15: import { createServer } from "http"; L16: import { ZodError } from "zod"; ... L754: return { L755: base64: buffer.toString("base64"), L756: width: clip?.width ?? viewport.width, ... L1154: category: "dom", L1155: description: "`<use_case>SEO/Meta inspection</use_case> Get page metadata: title, description, Open Graph tags, Twitter cards, canonical URL, favicon, and viewport info. title, des... L1156: inputSchema: z3.object({ ... L1355: const before = (/* @__PURE__ */ new Date()).toISOString(); L1356: await new Promise((resolve6) => setTimeout(resolve6, input.durationMs)); L1357: const logs = sessionManager.getConsoleBuffer(session.id, {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L14

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings