registry  /  @qubiqlabs/webpilot  /  1.1.1

@qubiqlabs/webpilot@1.1.1

AI-native web automation on top of Playwright: natural language execution, codegen, healing, and reports

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a WebPilot/browser automation CLI with user-invoked scaffolding, diagnostics, Python setup, LLM provider calls, and browser-use telemetry.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes webpilot commands such as init, setup, doctor, run, ci, replay, or codegen.
Impact
Can create project scaffolding, .venv dependencies, runtime reports, browser sessions, and configured LLM/API requests as part of expected functionality.
Mechanism
user-invoked automation CLI and setup tooling
Rationale
Static source inspection shows powerful browser automation and setup behavior, but it is package-aligned and activated by explicit CLI commands rather than npm install/import-time stealth behavior. I found no credential harvesting, hidden remote payload execution, destructive action, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/src/cli/index.jsdist/src/integrations/browser_use/PythonRuntime.jsscripts/setup-python.shdist/src/core/LLMClient.jspackages/browser-use/browser_use/telemetry/service.pyresources/config/webpilot.yamlresources/config/llm.json.env.example.venvruntime/packages/test-framework/tests/~/.config/browseruse/device_id
Network endpoints6
eu.i.posthog.comapi.openai.com/v1/chat/completionsapi.anthropic.com/v1/messagesgenerativelanguage.googleapis.comapi.browser-use.comlocalhost:11434

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • packages/browser-use telemetry defaults to PostHog and creates a device_id under browser-use config.
  • Explicit setup paths can create .venv and install requirements for vendored browser-use.
  • CLI can run browser automation, LLM calls, subprocess checks, and project scaffolding when user invokes commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/src/cli/index.js actions are commander subcommands; import mainly registers CLI and loads dotenv.
  • dist/src/cli/index.js init/setup/doctor writes are project/tool scaffolding or diagnostics, not stealth persistence.
  • dist/src/integrations/browser_use/PythonRuntime.js pip/venv operations are package-aligned setup for vendored browser-use.
  • dist/src/core/LLMClient.js sends prompts only to configured LLM providers; no hidden exfil endpoint found.
  • Claude skill references in packages/browser-use docs are manual instructions, not executed by npm lifecycle code.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 137 file(s), 943 KB of source, external domains: api.anthropic.com, api.openai.com, automationexercise.com, demo.applitools.com, dotnet.microsoft.com, fonts.googleapis.com, generativelanguage.googleapis.com, maven.apache.org, nodejs.org, petstore.swagger.io, www.booking.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/src/core/CodegenPlaywrightValidator.jsView file
36exports.CodegenPlaywrightValidator = void 0; L37: const child_process_1 = require("child_process"); L38: const fs = __importStar(require("fs"));
High
Child Process

Package source references child process execution.

dist/src/core/CodegenPlaywrightValidator.jsView on unpkg · L36
dist/src/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @qubiqlabs/webpilot@1.0.4 matchedIdentity = npm:QHF1YmlxbGFicy93ZWJwaWxvdA:1.0.4 similarity = 0.767 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli/index.jsView on unpkg
567try { L568: execSync('npx tsc --noEmit', { L569: encoding: 'utf8',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/cli/index.jsView on unpkg · L567
scripts/setup-python.shView file
path = scripts/setup-python.sh kind = build_helper sizeBytes = 1224 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/setup-python.shView on unpkg
docs/FRAMEWORK_GUIDE.mdView file
702patternName = generic_password severity = medium line = 702 matchedText = await ap... });
Medium
Secret Pattern

Hardcoded password in docs/FRAMEWORK_GUIDE.md

docs/FRAMEWORK_GUIDE.mdView on unpkg · L702

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/src/cli/index.js
HighChild Processdist/src/core/CodegenPlaywrightValidator.js
HighShell
HighRuntime Package Installdist/src/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/setup-python.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/FRAMEWORK_GUIDE.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings