registry  /  @plumpslabs/fennec-core  /  1.13.3

@plumpslabs/fennec-core@1.13.3

Fennec MCP server — AI-native browser, terminal, and process observability

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
A connected MCP client explicitly invokes process or DevTools tools at runtime.
Impact
An authorized MCP client can start allowlisted local developer commands or execute JavaScript in the selected browser page.
Mechanism
Guarded MCP-mediated process spawning and browser CDP execution.
Rationale
No concrete malicious behavior was found, but the package intentionally provides high-impact AI-agent process and browser-execution capabilities with permissive defaults. Treat as a warning-level dangerous capability rather than a publish-blocking malware verdict.
Evidence
package.jsondist/index.jsdist/cdp-engine-TGY7DD37.jsREADME.md
Network endpoints1
127.0.0.1:${port}/json/version

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes MCP `process_spawn` with spawning enabled by default.
  • `dist/index.js` launches allowlisted commands as detached processes with caller-supplied arguments and environment.
  • `dist/index.js` enables `devtools_evaluate` by default for browser-page JavaScript.
  • `dist/cdp-engine-TGY7DD37.js` can launch Chrome and connect to its local DevTools endpoint.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • No import-time server start or process spawn was found; capabilities require MCP tool calls.
  • Command names are restricted to a built-in spawn allowlist.
  • Observed CDP network access targets localhost; no exfiltration endpoint or credential harvesting was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 570 KB of source, external domains: 127.0.0.1

Source & flagged code

2 flagged · loading source
dist/index.jsView file
4340// src/process/PortDetector.ts L4341: import { execSync } from "child_process"; L4342: var PortDetector = class {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4340
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution. L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; L15: import { createServer } from "http"; L16: import { ZodError } from "zod"; ... L754: return { L755: base64: buffer.toString("base64"), L756: width: clip?.width ?? viewport.width, ... L1154: category: "dom", L1155: description: "`<use_case>DOM inspection</use_case> \u{1F3F7}\uFE0F Get comprehensive page metadata: title, description, Open Graph tags (og:*), Twitter cards (twitter:*), canonical... L1156: inputSchema: z3.object({ ... L1925: code: "STORAGE_ACCESS_DENIED", L1926: suggestions: ["localStorage may be restricted in private browsing or cross-origin contexts"] L1927: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L14

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings