registry  /  @plumpslabs/fennec-core  /  1.12.3

@plumpslabs/fennec-core@1.12.3

Fennec MCP server — AI-native browser, terminal, and process observability

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an MCP browser/process observability library whose sensitive actions are explicit runtime tools with configuration guards.

Static reason
One or more suspicious static signals were detected.
Trigger
A host application constructs and starts `FennecServer`, then explicitly invokes MCP tools.
Impact
Can manage user-requested browser sessions and developer processes; no unconsented install-time behavior or exfiltration chain found.
Mechanism
User-invoked browser automation, local CDP inspection, and guarded process management.
Rationale
Static source inspection shows package-aligned observability capabilities rather than a concrete malicious chain. Sensitive runtime features are exposed as explicit tools and process spawning is disabled unless configuration enables it.
Evidence
package.jsonREADME.mddist/index.jsdist/cdp-engine-TGY7DD37.js./.fennec/sessions./.fennec/workflows~/.fennec/tracked.json
Network endpoints2
127.0.0.1:9222/json/version127.0.0.1:<port>/json

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` exposes process spawning and detaches spawned children.
  • `dist/index.js` persists sessions, workflows, and tracked-process metadata under configured Fennec paths.
  • `dist/index.js` includes browser-context JavaScript evaluation and local CDP access.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • Entrypoint exports library APIs; no import-time command, network, or agent-config action found.
  • `process_spawn` is an explicit tool and rejects calls unless `security.allowProcessSpawn` is enabled.
  • Default process allowlist is limited to common developer runtimes/package managers.
  • Observed fetches target local CDP endpoints; no package-controlled remote exfiltration endpoint found.
  • No writes to AI-agent configuration, credential harvesting, stealth payload loading, or destructive behavior found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 534 KB of source, external domains: 127.0.0.1

Source & flagged code

2 flagged · loading source
dist/index.jsView file
4340// src/process/PortDetector.ts L4341: import { execSync } from "child_process"; L4342: var PortDetector = class {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4340
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution. L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; L15: import { createServer } from "http"; L16: import { ZodError } from "zod"; ... L754: return { L755: base64: buffer.toString("base64"), L756: width: clip?.width ?? viewport.width, ... L1154: category: "dom", L1155: description: "`<use_case>SEO/Meta inspection</use_case> Get page metadata: title, description, Open Graph tags, Twitter cards, canonical URL, favicon, and viewport info. title, des... L1156: inputSchema: z3.object({ ... L1355: const before = (/* @__PURE__ */ new Date()).toISOString(); L1356: await new Promise((resolve6) => setTimeout(resolve6, input.durationMs)); L1357: const logs = sessionManager.getConsoleBuffer(session.id, {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L14

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings