registry  /  imprint-mcp  /  0.6.3

imprint-mcp@0.6.3

Teach an AI agent how to use any website. Once. Records a real browser session + narration; generates a deterministic MCP tool plus a DOM-replay playbook fallback.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time prepare mutates the enclosing Git repository's hooks-path setting. Explicit update and compile commands can execute remote installer code or highly privileged external AI agents.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm prepare lifecycle; explicit `imprint update`, generate, or compile commands
Impact
Can alter local Git hook resolution or grant spawned tooling broad local workspace control.
Mechanism
VCS configuration mutation and user-invoked privileged subprocess execution
Rationale
No concrete malicious exfiltration, stealth persistence, or foreign AI-agent mutation was established. Warn because the package includes an install-time Git configuration mutation and explicit privileged execution paths.
Evidence
package.jsonsrc/imprint/update.tssrc/imprint/claude-cli-compile.tssrc/imprint/codex-cli-compile.tssrc/imprint/install.tssrc/imprint/credential-store.ts.git/config.githooks~/.imprint
Network endpoints2
registry.npmjs.org/imprint-mcp/latestraw.githubusercontent.com/ashaychangwani/imprint/main/scripts/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` prepare runs `git config core.hooksPath .githooks` during lifecycle execution.
  • `src/imprint/update.ts` pipes a remote GitHub installer to bash for compiled-binary updates.
  • `src/imprint/claude-cli-compile.ts` launches Claude with `--permission-mode bypassPermissions`.
  • `src/imprint/codex-cli-compile.ts` runs Codex with workspace-write and automated MCP approval.
Evidence against
  • No preinstall/install/postinstall hook exists; the only lifecycle hook is prepare.
  • `src/imprint/install.ts` changes MCP registrations only through explicit install/uninstall commands.
  • `src/imprint/credential-store.ts` stores credentials in keyring or encrypted local files; inspected paths show no network upload.
  • Network calls inspected are package update checks or user-selected website replay/automation, not hidden exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 142 file(s), 1.98 MB of source, external domains: 127.0.0.1, api.pushover.net, bun.sh, console.anthropic.com, crontab.guru, docs.anthropic.com, flights.google.com, github.com, imprint.invalid, imprint.local, ntfy.sh, raw.githubusercontent.com, registry.npmjs.org, sandiego.discoverandgo.net, www.cursor.com, www.example.com, www.google.com, www.southwest.com

Source & flagged code

6 flagged · loading source
src/imprint/codex-cli-compile.tsView file
9L10: import { type ChildProcess, spawn, spawnSync } from 'node:child_process'; L11: import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

src/imprint/codex-cli-compile.tsView on unpkg · L9
265L266: const execArgs = opts.resume L267: ? ['exec', 'resume']
High
Shell

Package source references shell execution.

src/imprint/codex-cli-compile.tsView on unpkg · L265
src/imprint/credential-store.tsView file
533// biome-ignore lint/suspicious/noExplicitAny: dynamic require L534: const mod = require('@napi-rs/keyring') as any; L535: if (!mod?.Entry || !mod?.findCredentials) return null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/imprint/credential-store.tsView on unpkg · L533
src/imprint/replay-capture.tsView file
14package = imprint-mcp; repositoryIdentity = imprint; dependency = playwright L14: import { join as pathJoin } from 'node:path'; L15: import type { Browser, BrowserContext, Locator, Page } from 'playwright'; L16: import { createLog } from './log.ts';
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/imprint/replay-capture.tsView on unpkg · L14
src/imprint/doctor.tsView file
111'no chromium-* install under PLAYWRIGHT_BROWSERS_PATH, $HERMES_HOME/.cache/ms-playwright, ~/Library/Caches/ms-playwright, or ~/.cache/ms-playwright', L112: fix: 'run: bunx playwright install chromium (needed for stealth-fetch + playbook)', L113: }; ... L117: try { L118: return spawnSync('sh', ['-c', 'command -v Xvfb'], { stdio: 'ignore' }).status === 0; L119: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/imprint/doctor.tsView on unpkg · L111
src/imprint/claude-cli-compile.tsView file
matchType = previous_version_dangerous_delta matchedPackage = imprint-mcp@0.6.1 matchedIdentity = npm:aW1wcmludC1tY3A:0.6.1 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/imprint/claude-cli-compile.tsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/imprint/claude-cli-compile.ts
HighChild Processsrc/imprint/codex-cli-compile.ts
HighShellsrc/imprint/codex-cli-compile.ts
HighCopied Package Dependency Bridgesrc/imprint/replay-capture.ts
HighRuntime Package Installsrc/imprint/doctor.ts
MediumDynamic Requiresrc/imprint/credential-store.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings