registry  /  haltija  /  1.3.0

haltija@1.3.0

Browser control for AI agents - query DOM, click, type, run JS, watch mutations

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are local browser automation, CLI server control, MCP setup, eval, shell, and file-write features that match the package purpose and require user/runtime invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs haltija/hj/haltija-mcp-setup commands or starts the local server.
Impact
Intended local automation can execute browser JS or shell/file actions when exposed to a user/agent, but no install-time or covert exfiltration behavior was found.
Mechanism
local browser-control server and optional MCP configuration
Rationale
Static inspection shows no lifecycle execution, credential harvesting, remote payload fetch/execute, or covert network exfiltration. The flagged child_process, eval, localhost fetches, MCP config writes, and Unicode samples are package-aligned browser automation/setup features activated by explicit user commands.
Evidence
package.jsonbin/tosijs-dev.mjsbin/mcp-setup.mjsbin/hj.mjsbin/cli-subcommand.mjsdist/index.jsdist/server.jsdist/hj.jsapps/desktop/main.js.mcp.json~/.claude.jsonClaude Desktop claude_desktop_config.json~/.haltija/servers/*.json
Network endpoints5
localhost:8700/statuslocalhost:8700/inject.jslocalhost:8700claude.ai/downloadclaude.ai/code

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; bins are user-invoked.
    • bin/tosijs-dev.mjs starts local server/app and only writes Claude config for explicit --setup-mcp.
    • bin/mcp-setup.mjs creates/removes .mcp.json only when executed as setup tool.
    • dist/server.js exposes browser-control eval, shell, and file-write APIs as documented local agent features.
    • dist/server.js supports HALTIJA_TOKEN checks for REST/WebSocket when configured.
    • dist/hj.js Unicode findings are test/formatter sample strings, not hidden control-flow payloads.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 36 file(s), 3.49 MB of source, external domains: bun.sh, claude.ai, example.com, github.com, haltija-test.example, www.google.com, www.w3.org

    Source & flagged code

    9 flagged · loading source
    bin/tosijs-dev.mjsView file
    14L15: import { spawn, execSync as execSyncImported } from 'child_process' L16: import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs' ... L20: L21: const __dirname = dirname(fileURLToPath(import.meta.url)) L22: const serverPath = join(__dirname, '../dist/server.js') ... L55: --https-port <n> Set HTTPS port (default: 8701) L56: --token <value> Require X-Haltija-Token header on REST and ?token= on WebSocket L57: (default: off; sets HALTIJA_TOKEN) ... L146: try { L147: const config = JSON.parse(readFileSync(configPath, 'utf8')) L148: if (config.mcpServers?.haltija) {
    Critical
    Download Execute

    Source downloads or fetches remote code and executes it.

    bin/tosijs-dev.mjsView on unpkg · L14
    14L15: import { spawn, execSync as execSyncImported } from 'child_process' L16: import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs'
    High
    Child Process

    Package source references child process execution.

    bin/tosijs-dev.mjsView on unpkg · L14
    14Cross-file remote execution chain: bin/tosijs-dev.mjs spawns dist/server.js; helper contains network access plus dynamic code execution. L14: L15: import { spawn, execSync as execSyncImported } from 'child_process' L16: import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs' ... L20: L21: const __dirname = dirname(fileURLToPath(import.meta.url)) L22: const serverPath = join(__dirname, '../dist/server.js') ... L55: --https-port <n> Set HTTPS port (default: 8701) L56: --token <value> Require X-Haltija-Token header on REST and ?token= on WebSocket L57: (default: off; sets HALTIJA_TOKEN) ... L146: try { L147: const config = JSON.parse(readFileSync(configPath, 'utf8')) L148: if (config.mcpServers?.haltija) {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    bin/tosijs-dev.mjsView on unpkg · L14
    5* Usage: L6: * npx haltija # Launch desktop app (or server if electron unavailable) L7: * npx haltija --server # Server only (for CI, headless, bookmarklet usage) ... L14: L15: import { spawn, execSync as execSyncImported } from 'child_process' L16: import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs'
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    bin/tosijs-dev.mjsView on unpkg · L5
    dist/client.jsView file
    70} L71: async eval(code) { L72: const res = await fetch(`${this.baseUrl}/eval`, {
    High
    Eval

    Package source references dynamic code evaluation.

    dist/client.jsView on unpkg · L70
    apps/desktop/main.jsView file
    23const os = require('os') L24: const { spawn } = require('child_process') L25: const http = require('http') L26: const { attachNetwork, detachNetwork, getNetworkLog, getNetworkStats, clearNetwork, isMonitoring } = require('./cdp-network.js') ... L32: // Haltija server config L33: const HALTIJA_PORT = parseInt(process.env.HALTIJA_PORT || '8700') L34: const HALTIJA_SERVER = `http://localhost:${HALTIJA_PORT}`
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    apps/desktop/main.jsView on unpkg · L23
    dist/index.jsView file
    49Trigger-reachable chain: manifest.main -> dist/index.js L49: import { join as join2 } from "path"; L50: import { spawn } from "child_process"; L51: function createTerminalState(maxPushBuffer = 100) { ... L72: ws, L73: cwd: defaultCwd || process.env.HOME || process.cwd() L74: }; ... L171: const raw = readFileSync2(configPath, "utf-8"); L172: const parsed = JSON.parse(raw); L173: if (parsed && typeof parsed === "object" && parsed.tools) { ... L265: }); L266: let stdout = ""; L267: let stderr = "";
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg · L49
    49import { join as join2 } from "path"; L50: import { spawn } from "child_process"; L51: function createTerminalState(maxPushBuffer = 100) { ... L72: ws, L73: cwd: defaultCwd || process.env.HOME || process.cwd() L74: }; ... L171: const raw = readFileSync2(configPath, "utf-8"); L172: const parsed = JSON.parse(raw); L173: if (parsed && typeof parsed === "object" && parsed.tools) { ... L265: }); L266: let stdout = ""; L267: let stderr = "";
    High
    Obfuscated Payload Loader

    Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

    dist/index.jsView on unpkg · L49
    dist/hj.jsView file
    558contains invisible/control Unicode U+202E (right-to-left override) "<U+202E>Reverse",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/hj.jsView on unpkg · L558

    Findings

    3 Critical7 High3 Medium5 Low
    CriticalDownload Executebin/tosijs-dev.mjs
    CriticalTrojan Source Unicodedist/hj.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    HighChild Processbin/tosijs-dev.mjs
    HighShell
    HighEvaldist/client.js
    HighSame File Env Network Executionapps/desktop/main.js
    HighObfuscated Payload Loaderdist/index.js
    HighCross File Remote Execution Contextbin/tosijs-dev.mjs
    HighRuntime Package Installbin/tosijs-dev.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings