registry  /  @validpilot/ai-verify-mcp  /  1.6.2

@validpilot/ai-verify-mcp@1.6.2

AI 编程验证平台。让 AI 代码生成结果可验证、可信赖。MCP 协议原生支持,证据驱动。

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an MCP/browser validation tool with user-triggered browser automation, local HTTP/stdio server modes, artifact generation, and target-URL probing.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI/MCP server or invokes browser/validation tools.
Impact
Can navigate/fetch user-provided targets and write local artifacts/logs, but no unconsented exfiltration, persistence, or install-time execution was found.
Mechanism
User-directed browser automation and validation artifact collection.
Rationale
Static inspection found risky but package-aligned capabilities for an MCP browser testing server: user-invoked eval in the browser context, target URL fetches, and local artifact writes. There is no install-time execution, credential harvesting, hardcoded exfiltration endpoint, persistence, destructive behavior, or unconsented AI-agent control mutation.
Evidence
package.jsonbin/validpilot.jsserver.jsstart-http.jscore/win-encoding.jscore/redaction.jscore/logger.jshandlers/validation.jsengines/playwright_adapter.jsengines/chrome_mcp_adapter.jshands/deep_interactor.jsvalidation.logartifacts/screenshots/traces/har/reports/visual/.trae/validations/runs/
Network endpoints1
validpilot.com/pricing

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • handlers/validation.js and engines/playwright_adapter.js expose user-invoked eval/new Function browser checks.
  • server.js HTTP mode can run unauthenticated when MCP_API_KEY is unset, with a warning.
  • server.js and handlers write screenshots, reports, logs, HARs, and validation artifacts during tool use.
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly is publish-time health/pack only.
  • bin/validpilot.js only dispatches CLI commands and spawns local server.js/start-http.js on user request.
  • Network fetches target user-supplied URLs or local API probes for browser validation, not hardcoded exfiltration.
  • core/redaction.js redacts tokens/passwords; no credential harvesting loop found.
  • child_process usage is limited to spawning local server or OS Chrome/encoding discovery commands.
  • No AI-agent config/control-surface writes such as .cursor, .claude, AGENTS.md, or prompt mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 858 KB of source, external domains: example.com, validpilot.com, www.w3.org

Source & flagged code

6 flagged · loading source
hands/deep_interactor.jsView file
190patternName = generic_password severity = medium line = 190 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

hands/deep_interactor.jsView on unpkg · L190
core/win-encoding.jsView file
15// 切换控制台代码页为 UTF-8 L16: require('child_process').execSync('chcp 65001', { stdio: 'ignore' }); L17: } catch (_) {
High
Child Process

Package source references child process execution.

core/win-encoding.jsView on unpkg · L15
5* L6: * 解决 PowerShell (GBK) 显示 Node.js UTF-8 输出时中文乱码的问题。 L7: * 在脚本入口处 require 即可生效。
High
Shell

Package source references shell execution.

core/win-encoding.jsView on unpkg · L5
engines/playwright_adapter.jsView file
173L174: async eval(args = {}) { L175: const page = await this.ensurePage(args);
Low
Eval

Package source references a known benign dynamic code generation pattern.

engines/playwright_adapter.jsView on unpkg · L173
bin/validpilot.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @validpilot/ai-verify-mcp@1.6.1 matchedIdentity = npm:[redacted]:1.6.1 similarity = 0.947 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/validpilot.jsView on unpkg
5Cross-file remote execution chain: bin/validpilot.js spawns server.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const { spawn } = require('child_process'); L7: const { validationQuickRun } = require('../hands/verification_runner'); ... L9: L10: const PKG = require('../package.json'); L11: ... L103: const resolved = path.resolve(flowPath); L104: const raw = JSON.parse(fs.readFileSync(resolved, 'utf8')); L105: ... L135: function startServer(script, extraEnv = {}) { L136: const child = spawn(process.execPath, [path.join(__dirname, '..', script)], { L137: stdio: 'inherit',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/validpilot.jsView on unpkg · L5

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/validpilot.js
HighChild Processcore/win-encoding.js
HighShellcore/win-encoding.js
HighCross File Remote Execution Contextbin/validpilot.js
MediumSecret Patternhands/deep_interactor.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalengines/playwright_adapter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings