AI Security Review
scanned 1h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
A connected MCP client explicitly invokes process or DevTools tools at runtime.
Impact
An authorized MCP client can start allowlisted local developer commands or execute JavaScript in the selected browser page.
Mechanism
Guarded MCP-mediated process spawning and browser CDP execution.
Rationale
No concrete malicious behavior was found, but the package intentionally provides high-impact AI-agent process and browser-execution capabilities with permissive defaults. Treat as a warning-level dangerous capability rather than a publish-blocking malware verdict.
Evidence
package.jsondist/index.jsdist/cdp-engine-TGY7DD37.jsREADME.md
Network endpoints1
127.0.0.1:${port}/json/version
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` exposes MCP `process_spawn` with spawning enabled by default.
- `dist/index.js` launches allowlisted commands as detached processes with caller-supplied arguments and environment.
- `dist/index.js` enables `devtools_evaluate` by default for browser-page JavaScript.
- `dist/cdp-engine-TGY7DD37.js` can launch Chrome and connect to its local DevTools endpoint.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- No import-time server start or process spawn was found; capabilities require MCP tool calls.
- Command names are restricted to a built-in spawn allowlist.
- Observed CDP network access targets localhost; no exfiltration endpoint or credential harvesting was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
4340// src/process/PortDetector.ts
L4341: import { execSync } from "child_process";
L4342: var PortDetector = class {
High
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TGY7DD37.js; helper contains network access plus dynamic code execution.
L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
L15: import { createServer } from "http";
L16: import { ZodError } from "zod";
...
L754: return {
L755: base64: buffer.toString("base64"),
L756: width: clip?.width ?? viewport.width,
...
L1154: category: "dom",
L1155: description: "`<use_case>DOM inspection</use_case> \u{1F3F7}\uFE0F Get comprehensive page metadata: title, description, Open Graph tags (og:*), Twitter cards (twitter:*), canonical...
L1156: inputSchema: z3.object({
...
L1925: code: "STORAGE_ACCESS_DENIED",
L1926: suggestions: ["localStorage may be restricted in private browsing or cross-origin contexts"]
L1927: });
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L14Findings
3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings