registry  /  anima-use-google  /  0.1.6

anima-use-google@0.1.6

MCP server that runs Google AI Mode searches via a browser sidecar extension using your own logged-in session.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Package installs a first-party browser native-messaging sidecar when the user runs installer scripts, then exposes an MCP/CLI Google AI Mode search bridge over localhost. This is a guarded extension lifecycle risk, but not confirmed malicious by source inspection.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user invocation of native-host installer plus runtime MCP/CLI search request
Impact
Local MCP/CLI clients can cause the extension to open Google search tabs and receive extracted AI response HTML/citations.
Mechanism
browser native-messaging bridge to Google AI Mode
Rationale
Source inspection shows a package-aligned MCP/browser sidecar with explicit native-host installers and limited Google host permissions, with no automatic install hook abuse or exfiltration chain. Because it sets up a first-party agent/browser extension control surface, downgrade to warning rather than block.
Evidence
package.jsondist/index.jsdist/cli.jsdist/native-messaging.jsnative-host/host.jsnative-host/install-host.cjsnative-host/install-chrome-host.cjsextension/manifest.jsonextension/background.jsextension/content.jsextension-chromium/manifest.jsonextension-chromium/background.js~/.mozilla/native-messaging-hosts/com.google.ai.search.json~/Library/Application Support/Mozilla/NativeMessagingHosts/com.google.ai.search.json~/.config/google-chrome/NativeMessagingHosts/com.google.ai.search.json~/.config/chromium/NativeMessagingHosts/com.google.ai.search.json~/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.google.ai.search.json~/.anima-use-google/com.google.ai.search.json~/.anima-use-google/<browser>/com.google.ai.search.jsonnative-host/run-host.sh
Network endpoints2
www.google.com/search?udm=50&q=...127.0.0.1:51784

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • native-host/install-host.cjs writes Firefox native messaging manifests under user profile paths and may add HKCU registry key on Windows.
  • native-host/install-chrome-host.cjs writes Chromium/Chrome/Brave native messaging manifests and allowed_origins for a supplied extension id.
  • native-host/host.js opens localhost TCP 127.0.0.1:51784 and forwards framed requests to the browser extension.
  • extension*/background.js opens hidden Google AI Mode search tabs and returns page HTML/citations through native messaging.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare/prepublishOnly only run tsc.
  • Installer scripts are explicit user commands, not automatic npm install mutation.
  • Extension host permissions are limited to https://www.google.com/* and nativeMessaging.
  • No credential/env harvesting, broad filesystem scanning, remote payload loading, eval, or destructive behavior found.
  • Network behavior is package-aligned Google search: https://www.google.com/search?udm=50&q=...
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 78.2 KB of source, external domains: www.google.com

Source & flagged code

3 flagged · loading source
native-host/install-chrome-host.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = anima-use-google@0.1.4 matchedIdentity = npm:YW5pbWEtdXNlLWdvb2dsZQ:0.1.4 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

native-host/install-chrome-host.cjsView on unpkg
21const HOST_NAME = "com.google.ai.search"; L22: const REPO_ROOT = path.resolve(__dirname, ".."); L23: const HOST_JS = path.join(REPO_ROOT, "native-host", "host.js"); ... L60: L61: function parseArgs(argv = process.argv, env = process.env) { L62: let extensionId = env.CHROME_EXTENSION_ID || ""; ... L110: const nodeBin = process.execPath; L111: const content = `#!/bin/sh L112: exec "${nodeBin}" "${HOST_JS}" "$@" ... L119: browser = "chrome", L120: platform = process.platform, L121: homeDir = os.homedir(),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

native-host/install-chrome-host.cjsView on unpkg · L21
native-host/run-host.shView file
path = native-host/run-host.sh kind = build_helper sizeBytes = 84 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

native-host/run-host.shView on unpkg

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltanative-host/install-chrome-host.cjs
MediumEnvironment Vars
MediumInstall Persistencenative-host/install-chrome-host.cjs
MediumShips Build Helpernative-host/run-host.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings