registry  /  @validpilot/ai-verify-mcp  /  1.6.9

@validpilot/ai-verify-mcp@1.6.9

AI 编程验证平台。让 AI 代码生成结果可验证、可信赖。MCP 协议原生支持,证据驱动。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
A user or connected MCP agent calls `browser_eval` or `bypass_login` against a target page.
Impact
Could test or alter content within the authority of the launched browser session; no host-side payload execution, credential exfiltration, or persistence is confirmed.
Mechanism
Caller-directed browser-context script execution and authentication-bypass probing.
Rationale
Source inspection confirms dangerous explicit MCP security-testing capabilities but no concrete malicious execution or unconsented install-time control-surface mutation. The scanner's Trojan Source finding is repeated UTF-8 BOM padding at `server.js` start, not hidden bidirectional logic.
Evidence
package.jsonserver.jshandlers/browser.jshandlers/correlate.jscore/redaction.jscore/win-encoding.jscore/artifacts.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `handlers/browser.js` exposes MCP `browser_eval`, evaluating caller-provided JavaScript in a browser page.
  • `handlers/correlate.js` exposes `bypass_login`, which probes protected URLs without cookies/auth and tries supplied backdoor paths.
  • `server.js` loads these tools through the MCP runtime; its entrypoint has repeated BOMs but no concealed bidi control flow.
  • `server.js` writes browser/HAR/report artifacts, so MCP requests can affect local project artifact directories.
Evidence against
  • `package.json` has only `prepublishOnly`; install does not run package code.
  • No source writes `.claude`, `.cursor`, `mcp.json`, editor settings, or home-directory agent configuration.
  • No package-controlled credential exfiltration endpoint or outbound HTTP client was found; browser fetches operate on user-supplied target pages.
  • `core/redaction.js` redacts common tokens and API keys from structured output.
  • `core/win-encoding.js` only changes the Windows terminal code page; shell use is platform-local.
  • Process spawning is limited to starting this package's local server/browser helpers and Chrome discovery.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 1.07 MB of source, external domains: example.com, validpilot.com, www.w3.org

Source & flagged code

7 flagged · loading source
hands/deep_interactor.jsView file
190patternName = generic_password severity = medium line = 190 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

hands/deep_interactor.jsView on unpkg · L190
core/win-encoding.jsView file
15// 切换控制台代码页为 UTF-8 L16: require('child_process').execSync('chcp 65001', { stdio: 'ignore' }); L17: } catch (_) {
High
Child Process

Package source references child process execution.

core/win-encoding.jsView on unpkg · L15
5* L6: * 解决 PowerShell (GBK) 显示 Node.js UTF-8 输出时中文乱码的问题。 L7: * 在脚本入口处 require 即可生效。
High
Shell

Package source references shell execution.

core/win-encoding.jsView on unpkg · L5
server.jsView file
1contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF>
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

server.jsView on unpkg · L1
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = @validpilot/ai-verify-mcp@1.6.2 matchedIdentity = npm:[redacted]:1.6.2 similarity = 0.789 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server.jsView on unpkg
bin/validpilot.jsView file
5Cross-file remote execution chain: bin/validpilot.js spawns server.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const { spawn } = require('child_process'); L7: const { validationQuickRun } = require('../hands/verification_runner'); ... L9: L10: const PKG = require('../package.json'); L11: ... L103: const resolved = path.resolve(flowPath); L104: const raw = JSON.parse(fs.readFileSync(resolved, 'utf8')); L105: ... L135: function startServer(script, extraEnv = {}) { L136: const child = spawn(process.execPath, [path.join(__dirname, '..', script)], { L137: stdio: 'inherit',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/validpilot.jsView on unpkg · L5

Findings

3 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodeserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
CriticalPrevious Version Dangerous Deltaserver.js
HighChild Processcore/win-encoding.js
HighShellcore/win-encoding.js
HighCross File Remote Execution Contextbin/validpilot.js
MediumSecret Patternhands/deep_interactor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings