AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked MCP security scanner with network and repo scanning capabilities aligned with its README and tool descriptions.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; only bin fracta-mcp -> dist/index.js
- dist/index.js starts an MCP stdio server and exposes documented scan tools
- Network fetches target user-supplied URLs with SSRF validation for passive_scan
- scan_repo reads a user-supplied/local repo path and runs gitleaks if present
- Runtime writes are package-aligned reports/state: fracta-reports and fracta-state.db
- Anthropic API use is opt-in via FRACTA_LLM=1 and ANTHROPIC_API_KEY
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L541