registry  /  @scrapitos/runner  /  1.0.22

@scrapitos/runner@1.0.22

Scrapit OS Core Executor and Local Agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A local HTTP agent exposes browser automation and scenario execution after the user starts it. Its wildcard CORS and PNA headers allow browser-originated requests to the localhost service once it is authenticated.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `scrapit-agent serve` and completes cloud or offline setup.
Impact
A malicious webpage may trigger browser automation against arbitrary scenario targets; supplied eval steps execute in the target page context.
Mechanism
Unauthenticated-origin local scenario execution through a CORS-permissive automation API.
Rationale
No concrete malicious chain is present, so blocking is not justified. The permissive local API plus arbitrary browser automation is a real dangerous capability that warrants a warning.
Evidence
package.jsonpostinstall.jsdist/cli/agent.jsdist/dslExecutor/executor.jsdist/core/browserManager.js
Network endpoints2
localhost:4000/api/loginlocalhost:4001

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli/agent.js` enables wildcard CORS and Private Network Access.
  • `dist/cli/agent.js` accepts authenticated `/api/preview` bodies and runs supplied scenarios.
  • `dist/dslExecutor/executor.js` executes scenario-provided JavaScript in browser pages with `new Function`.
  • `dist/core/browserManager.js` uses stealth browser fingerprinting and CAPTCHA-compatible automation.
  • `postinstall.js` runs Playwright Chromium installation through `execSync` during npm install.
Evidence against
  • `postinstall.js` only installs the declared Playwright Chromium dependency and catches failures.
  • No source writes AI-agent config, startup persistence, shell payload, or credential-harvesting logic.
  • Cloud login sends only explicitly entered credentials to the user-selected auth URI.
  • No hard-coded non-package exfiltration endpoint or hidden remote payload loader was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 28 file(s), 426 KB of source, external domains: 2captcha.com, api.anti-captcha.com, google.com, secure-site.com, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/browserManager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @scrapitos/runner@1.0.21 matchedIdentity = npm:QHNjcmFwaXRvcy9ydW5uZXI:1.0.21 similarity = 0.926 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/browserManager.jsView on unpkg
189try { L190: const { execSync } = await import('child_process'); L191: const env = { ...process.env };
High
Child Process

Package source references child process execution.

dist/core/browserManager.jsView on unpkg · L189
212Logger.log('[BrowserManager] Direct playwright CLI resolution failed, falling back to npx...'); L213: execSync('npx playwright install chromium', { stdio: 'inherit', env }); L214: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/browserManager.jsView on unpkg · L212
dist/dslExecutor/executor.jsView file
1384try { L1385: const fn = new Function('el', scriptBody); L1386: return fn(null); // No element in page-level eval
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dslExecutor/executor.jsView on unpkg · L1384
dist/cli/agent.jsView file
24.option('-p, --port <number>', 'Port to run the agent on', '4001') L25: .option('-u, --auth-uri <uri>', 'Cloud service base URI', 'http://localhost:4000') L26: .option('-d, --daemon', 'Run agent in background as a daemon') L27: .action(async (options) => { L28: if (options.daemon && !process.env.__DETACHED__) { L29: console.log('🚀 Starting Scrapit Agent in background...'); ... L34: const err = fs.openSync(path.join(logDir, 'agent.err'), 'a'); L35: const child = spawn(process.argv[0], [...process.argv.slice(1)], { L36: detached: true,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/agent.jsView on unpkg · L24

Findings

1 Critical5 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/core/browserManager.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/browserManager.js
HighShell
HighSame File Env Network Executiondist/cli/agent.js
HighRuntime Package Installdist/core/browserManager.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/dslExecutor/executor.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License