AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package intentionally provides user-invoked MCP browser and process-observability capabilities.
Static reason
One or more suspicious static signals were detected.
Trigger
A host application must instantiate the exported server and invoke its MCP tools.
Impact
Can access browser/session data or start configured development commands only when a host enables and invokes those tools.
Mechanism
Explicit browser automation, local CDP inspection, and managed developer-process control.
Rationale
The flagged primitives implement the documented observability/MCP feature set and are not install-time or import-time behavior. Static inspection found no concrete exfiltration, stealth persistence, remote execution chain, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js exposes explicit MCP tools for process spawning and browser JavaScript evaluation.
- Process spawning is constrained to configured commands and invoked through a tool handler.
Evidence against
- package.json has no preinstall, install, or postinstall lifecycle hook.
- dist/index.js exports library classes; it does not start the server on import.
- Network code targets user-supplied browser URLs or local 127.0.0.1 CDP/WebView endpoints.
- No credential-harvesting, remote payload download, agent-config mutation, or foreign persistence was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
4340// src/process/PortDetector.ts
L4341: import { execSync } from "child_process";
L4342: var PortDetector = class {
High
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution.
L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
L15: import { createServer } from "http";
L16: import { ZodError } from "zod";
...
L754: return {
L755: base64: buffer.toString("base64"),
L756: width: clip?.width ?? viewport.width,
...
L1154: category: "dom",
L1155: description: "`<use_case>SEO/Meta inspection</use_case> Get page metadata: title, description, Open Graph tags, Twitter cards, canonical URL, favicon, and viewport info. title, des...
L1156: inputSchema: z3.object({
...
L1355: const before = (/* @__PURE__ */ new Date()).toISOString();
L1356: await new Promise((resolve6) => setTimeout(resolve6, input.durationMs));
L1357: const logs = sessionManager.getConsoleBuffer(session.id, {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L14Findings
3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings