registry  /  imprint-mcp  /  0.6.0

imprint-mcp@0.6.0

Teach an AI agent how to use any website. Once. Records a real browser session + narration; generates a deterministic MCP tool plus a DOM-replay playbook fallback.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The real risk is explicit CLI-driven agent extension registration and local credential/browser replay capability, which is package-aligned but sensitive.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs imprint install, teach, mcp, update, credential, record, replay, or generated MCP server commands.
Impact
Can add or remove first-party imprint MCP tools and use locally stored site credentials during replay when the user invokes those features.
Mechanism
Explicit MCP registration plus browser replay and local credential storage.
Rationale
Source inspection shows sensitive but package-aligned functionality activated by explicit CLI commands, not unconsented npm lifecycle mutation, credential exfiltration, persistence, or remote payload execution. The agent-control-surface writes justify a warning rather than a publish block.
Evidence
package.jsonsrc/cli.tssrc/imprint/install.tssrc/imprint/mcp-maintenance.tssrc/imprint/update.tssrc/imprint/credential-store.tssrc/imprint/replay-capture.ts~/.claude/settings.json~/Library/Application Support/Claude/claude_desktop_config.json~/.openclaw/openclaw.json~/.hermes/config.yaml~/.config/imprint/manifests/<site>.json~/.config/imprint/credentials/<site>.json
Network endpoints3
registry.npmjs.org/imprint-mcp/latestraw.githubusercontent.com/ashaychangwani/imprint/main/scripts/install.shapi.pushover.net/1/messages.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • src/imprint/install.ts writes MCP registrations for Claude Desktop/OpenClaw/Hermes configs and invokes claude/codex MCP registration commands.
  • src/imprint/mcp-maintenance.ts can disable/delete/restore existing imprint-* MCP registrations.
  • src/imprint/update.ts has user-invoked update paths that fetch npm metadata and may run bun global install or a GitHub install script.
  • src/imprint/credential-store.ts stores site credentials/cookies locally in OS keyring or encrypted file for runtime replay.
Evidence against
  • package.json has only a prepare script: git config core.hooksPath .githooks; no preinstall/install/postinstall hook.
  • src/cli.ts dispatches install/uninstall/mcp/update/credential behavior only after explicit CLI verbs.
  • MCP config mutations are first-party imprint-* registrations selected by user/platform prompts or CLI flags, not broad unconsented takeover.
  • Credential code is local storage/replay support; no source path found that exfiltrates credential store contents.
  • Network use is package-aligned: target-site replay, npm update check, optional push notifications, and LLM provider calls.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 138 file(s), 1.77 MB of source, external domains: 127.0.0.1, api.pushover.net, bun.sh, console.anthropic.com, crontab.guru, docs.anthropic.com, flights.google.com, github.com, imprint.invalid, imprint.local, ntfy.sh, raw.githubusercontent.com, registry.npmjs.org, sandiego.discoverandgo.net, www.cursor.com, www.example.com, www.google.com, www.southwest.com

Source & flagged code

5 flagged · loading source
src/imprint/codex-cli-compile.tsView file
9L10: import { type ChildProcess, spawn } from 'node:child_process'; L11: import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

src/imprint/codex-cli-compile.tsView on unpkg · L9
src/imprint/credential-store.tsView file
557// biome-ignore lint/suspicious/noExplicitAny: dynamic require L558: const mod = require('@napi-rs/keyring') as any; L559: if (!mod?.Entry || !mod?.findCredentials) return null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/imprint/credential-store.tsView on unpkg · L557
src/imprint/replay-capture.tsView file
14package = imprint-mcp; repositoryIdentity = imprint; dependency = playwright L14: import { join as pathJoin } from 'node:path'; L15: import type { Browser, BrowserContext, Locator, Page } from 'playwright'; L16: import { createLog } from './log.ts';
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/imprint/replay-capture.tsView on unpkg · L14
src/imprint/doctor.tsView file
111'no chromium-* install under PLAYWRIGHT_BROWSERS_PATH, $HERMES_HOME/.cache/ms-playwright, ~/Library/Caches/ms-playwright, or ~/.cache/ms-playwright', L112: fix: 'run: bunx playwright install chromium (needed for stealth-fetch + playbook)', L113: }; ... L117: try { L118: return spawnSync('sh', ['-c', 'command -v Xvfb'], { stdio: 'ignore' }).status === 0; L119: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/imprint/doctor.tsView on unpkg · L111
src/imprint/audit.tsView file
matchType = previous_version_dangerous_delta matchedPackage = imprint-mcp@0.5.1 matchedIdentity = npm:aW1wcmludC1tY3A:0.5.1 similarity = 0.534 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/imprint/audit.tsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/imprint/audit.ts
HighChild Processsrc/imprint/codex-cli-compile.ts
HighShell
HighCopied Package Dependency Bridgesrc/imprint/replay-capture.ts
HighRuntime Package Installsrc/imprint/doctor.ts
MediumDynamic Requiresrc/imprint/credential-store.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings