registry  /  chrome-devtools  /  1.5.0

chrome-devtools@1.5.0

MCP server for Chrome DevTools

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 1.88 MB of source, external domains: 127.0.0.1, chromestatus.com, chromeuxreport.googleapis.com, chromium.googlesource.com, chromiumdash.appspot.com, crbug.com, datatracker.ietf.org, developer.chrome.com, developer.mozilla.org, developers.google.com, example.com, fedidcg.github.io, ffmpeg.org, github.com, html.spec.whatwg.org, play.googleapis.com, policies.google.com, privacycg.github.io, privacysandbox.com, registry.npmjs.org, urlpattern.spec.whatwg.org, web.dev, wicg.github.io, www.chromium.org, www.ffmpeg.org, www.ietf.org, www.rfc-editor.org
Oversized source lightweight scan
build/src/third_party/index.js6.52 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoShellHighEntropyStringsUrlStringschromestatus.comchromium.googlesource.comchromiumdash.appspot.comcrbug.comdatatracker.ietf.orgdeveloper.chrome.comdeveloper.mozilla.orgdevelopers.google.comexample.comfedidcg.github.iogithub.comhtml.spec.whatwg.orgprivacycg.github.ioprivacysandbox.comweb.devwicg.github.iowww.chromium.orgwww.ietf.orgwww.rfc-editor.org
build/src/third_party/lighthouse-devtools-mcp-bundle.js8.08 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsgithub.com

Source & flagged code

4 flagged · loading source
build/src/tools/performance.jsView file
179patternName = google_api_key severity = high line = 179 matchedText = cruxMana...k');
High
High Secret

Package contains a high-severity secret pattern.

build/src/tools/performance.jsView on unpkg · L179
179patternName = google_api_key severity = high line = 179 matchedText = cruxMana...k');
High
Secret Pattern

Google API key in build/src/tools/performance.js

build/src/tools/performance.jsView on unpkg · L179
build/src/third_party/devtools-formatter-worker.jsView file
8376} L8377: eval(val) { L8378: const sign = val < 0 ? -1 : 1.0;
Low
Eval

Package source references a known benign dynamic code generation pattern.

build/src/third_party/devtools-formatter-worker.jsView on unpkg · L8376
build/src/third_party/lighthouse-devtools-mcp-bundle.jsView file
path = build/src/third_party/lighthouse-devtools-mcp-bundle.js kind = oversized_source_file sizeBytes = 8475771 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

build/src/third_party/lighthouse-devtools-mcp-bundle.jsView on unpkg

Findings

3 High3 Medium6 Low
HighHigh Secretbuild/src/tools/performance.js
HighOversized Source Filebuild/src/third_party/lighthouse-devtools-mcp-bundle.js
HighSecret Patternbuild/src/tools/performance.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbuild/src/third_party/devtools-formatter-worker.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings