registry  /  @plumpslabs/fennec-core  /  1.12.1

@plumpslabs/fennec-core@1.12.1

Fennec MCP server — AI-native browser, terminal, and process observability

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime MCP tools intentionally manage browser sessions and optionally spawn allowlisted developer commands after a client tool call.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit consumer invocation of exported server/tool APIs.
Impact
Capabilities are package-aligned and user-invoked; no unsolicited installation or import-time action was found.
Mechanism
Local browser/CDP observability, session persistence, and guarded process management.
Rationale
The scanner signals map to intended MCP browser/process functionality. Direct inspection found no lifecycle execution, external command-and-control, exfiltration, stealth persistence, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/cdp-engine-TGY7DD37.jsREADME.md./.fennec/sessions./.fennec/exports~/.fennec/tracked.json
Network endpoints1
127.0.0.1:9222/json/version

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • dist/index.js exports a library; server startup requires an explicit start call.
    • Process spawning is an explicit MCP tool guarded by allowProcessSpawn and an allowlist.
    • CDP network use targets local Chrome debugging endpoints.
    • Filesystem writes persist user-requested sessions, exports, and tracked processes under .fennec paths.
    • No remote exfiltration, payload download, credential harvesting, or AI-agent config mutation found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 5 file(s), 534 KB of source, external domains: 127.0.0.1

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    4340// src/process/PortDetector.ts L4341: import { execSync } from "child_process"; L4342: var PortDetector = class {
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L4340
    14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution. L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; L15: import { createServer } from "http"; L16: import { ZodError } from "zod"; ... L754: return { L755: base64: buffer.toString("base64"), L756: width: clip?.width ?? viewport.width, ... L1154: category: "dom", L1155: description: "`<use_case>SEO/Meta inspection</use_case> Get page metadata: title, description, Open Graph tags, Twitter cards, canonical URL, favicon, and viewport info. title, des... L1156: inputSchema: z3.object({ ... L1355: const before = (/* @__PURE__ */ new Date()).toISOString(); L1356: await new Promise((resolve6) => setTimeout(resolve6, input.durationMs)); L1357: const logs = sessionManager.getConsoleBuffer(session.id, {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/index.jsView on unpkg · L14

    Findings

    3 High2 Medium4 Low
    HighChild Processdist/index.js
    HighShell
    HighCross File Remote Execution Contextdist/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings