registry  /  @validpilot/ai-verify-mcp  /  1.6.1

@validpilot/ai-verify-mcp@1.6.1

AI 编程验证平台。让 AI 代码生成结果可验证、可信赖。MCP 协议原生支持,证据驱动。

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked MCP/browser validation server with powerful but package-aligned testing tools.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the CLI, starts server.js/start-http.js, or invokes MCP tools
Impact
Can interact with user-specified web pages and write validation artifacts when invoked; no install-time persistence, credential harvesting, exfiltration, or foreign agent-control mutation found
Mechanism
Browser automation, page-context evaluation, local artifact generation, optional local HTTP MCP server
Rationale
Static inspection found dangerous primitives only in explicit MCP/CLI browser-testing workflows, with no install-time execution or unconsented writes to broad AI-agent control surfaces. The observed file and network behavior is aligned with validation artifact collection and user-selected targets, not malware.
Evidence
package.jsonbin/validpilot.jsserver.jsstart-http.jsstandalone-start.jscore/security.jscore/redaction.jscore/win-encoding.jshandlers/browser.jshandlers/validation.jshandlers/evidence.jshandlers/system.jsvalidation.logscreenshots/traces/har/reports/.trae/validations/runs/artifacts/
Network endpoints3
validpilot.com/pricinglocalhost:3456/healthlocalhost:3456/mcp

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • server.js exposes MCP/browser automation tools including browser_eval and HTTP mode when explicitly started
  • handlers/validation.js can issue user-directed API requests and CRUD checks against the opened page origin
  • server.js and handlers write local validation artifacts, reports, screenshots, HAR, and logs
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepublishOnly is publisher-side health/pack check
  • bin/validpilot.js only runs explicit health/validate/run commands and does not alter AI-agent configs
  • No code writes .mcp.json, Claude/Codex/Cursor settings, shell startup files, VCS hooks, or autostart entries
  • Network activity is user-supplied target URLs, localhost HTTP server, or documented ValidPilot pricing links; no hardcoded exfiltration endpoint found
  • core/redaction.js redacts tokens/secrets in logs and evidence packs
  • child_process usage is limited to launching the local server/browser helpers or Windows codepage/Chrome detection
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 857 KB of source, external domains: example.com, validpilot.com, www.w3.org

Source & flagged code

5 flagged · loading source
hands/deep_interactor.jsView file
190patternName = generic_password severity = medium line = 190 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

hands/deep_interactor.jsView on unpkg · L190
core/win-encoding.jsView file
15// 切换控制台代码页为 UTF-8 L16: require('child_process').execSync('chcp 65001', { stdio: 'ignore' }); L17: } catch (_) {
High
Child Process

Package source references child process execution.

core/win-encoding.jsView on unpkg · L15
5* L6: * 解决 PowerShell (GBK) 显示 Node.js UTF-8 输出时中文乱码的问题。 L7: * 在脚本入口处 require 即可生效。
High
Shell

Package source references shell execution.

core/win-encoding.jsView on unpkg · L5
engines/playwright_adapter.jsView file
173L174: async eval(args = {}) { L175: const page = await this.ensurePage(args);
Low
Eval

Package source references a known benign dynamic code generation pattern.

engines/playwright_adapter.jsView on unpkg · L173
standalone-start.jsView file
9Cross-file remote execution chain: standalone-start.js spawns server.js; helper contains network access plus dynamic code execution. L9: const path = require('path'); L10: const { spawn } = require('child_process'); L11: L12: const serverPath = path.join(__dirname, 'server.js'); L13: ... L21: stdio: ['pipe', 'pipe', 'pipe'], L22: env: { ...process.env, NODE_ENV: 'development' } L23: }); L24: L25: server.stdout.on('data', (data) => { L26: console.log('[stdout]', data.toString());
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

standalone-start.jsView on unpkg · L9

Findings

3 High3 Medium6 Low
HighChild Processcore/win-encoding.js
HighShellcore/win-encoding.js
HighCross File Remote Execution Contextstandalone-start.js
MediumSecret Patternhands/deep_interactor.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalengines/playwright_adapter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings