registry  /  @plumpslabs/fennec-core  /  1.14.1

@plumpslabs/fennec-core@1.14.1

Fennec MCP server — AI-native browser, terminal, and process observability

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host starts the server and an MCP client invokes `process_spawn`, tracked-process resume, or `devtools_evaluate`.
Impact
A compromised or overly trusted MCP client could execute local commands or page-context code with the server user's permissions.
Mechanism
MCP-exposed local process control and browser-context JavaScript execution.
Rationale
Source inspection does not support a malicious publish block, but the default MCP surface exposes material local-command and browser-code execution capabilities. Treat it as a warning-risk integration that should run only with a trusted MCP host/client.
Evidence
package.jsondist/index.jsdist/cdp-engine-TER6GXT6.jsdist/chunk-43WB7BLK.js
Network endpoints2
127.0.0.1:9222/json/version127.0.0.1:${input.port}/json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes MCP tools that spawn and detach arbitrary local commands.
  • `dist/index.js` enables `allowProcessSpawn` and browser JavaScript evaluation by default.
  • `dist/index.js` persists tracked commands/logs under `~/.fennec` and can re-spawn saved commands.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `dist/index.js` constructs an MCP server; inspection found no import-time startup or hidden payload fetch.
  • Observed network literals are localhost CDP/MCP endpoints only.
  • Writes are package-owned logs, sessions, workflows, exports, and tracked-process state; no foreign AI-agent config paths found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 626 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
dist/cdp-engine-TER6GXT6.jsView file
6import { randomUUID } from "crypto"; L7: import { spawn, execSync } from "child_process"; L8: import { EventEmitter } from "events";
High
Child Process

Package source references child process execution.

dist/cdp-engine-TER6GXT6.jsView on unpkg · L6
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @plumpslabs/fennec-core@1.14.0 matchedIdentity = npm:QHBsdW1wc2xhYnMvZmVubmVjLWNvcmU:1.14.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
14Cross-file remote execution chain: dist/index.js spawns dist/cdp-engine-TER6GXT6.js; helper contains network access plus dynamic code execution. L14: import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; L15: import { createServer } from "http"; L16: import { ZodError } from "zod"; ... L782: const result = { L783: base64: buffer.toString("base64"), L784: width: clip?.width ?? viewport.width, ... L1244: category: "dom", L1245: description: "`<use_case>DOM inspection</use_case> \u{1F3F7}\uFE0F Get comprehensive page metadata: title, description, Open Graph tags (og:*), Twitter cards (twitter:*), canonical... L1246: inputSchema: z3.object({ ... L2097: code: "STORAGE_ACCESS_DENIED", L2098: suggestions: ["localStorage may be restricted in private browsing or cross-origin contexts"] L2099: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L14

Findings

1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/cdp-engine-TER6GXT6.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings