registry  /  newton-browser  /  0.4.0

newton-browser@0.4.0

Local stdio MCP host and localhost WebSocket relay for the Newton Browser extension.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `newton-browser --install codex` or `--install claude-desktop`; otherwise user runs the CLI.
Impact
A user-invoked install can cause compatible AI clients to launch this package later; runtime browser control is a declared package capability.
Mechanism
Explicit MCP client configuration mutation and localhost browser-control relay.
Rationale
This is not malicious: it has no npm lifecycle execution, remote payload path, or credential theft behavior. Warn because an explicit command mutates AI-agent client configuration and registers persistent future execution.
Evidence
package.jsonREADME.mddist/index.js~/.codex/config.tomlClaude/claude_desktop_config.json<config-dir>/newton-browser/pairing.json
Network endpoints2
127.0.0.1:${port}/doctor-status127.0.0.1:17321

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements explicit `--install` configuration updates for Codex and Claude Desktop.
  • The install path writes MCP entries invoking `npx --yes --package newton-browser@0.4.0 newton-browser` and creates backups.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Entrypoint runs only as the `newton-browser` CLI; no import-time side effects.
  • `dist/index.js` uses only stdio and loopback `127.0.0.1` HTTP/WebSocket transport.
  • No child-process execution, eval/vm, dynamic loading, or non-local network endpoint was found.
  • Pairing secrets are generated locally with restrictive file modes; redaction code removes sensitive data from observations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 109 KB of source, external domains: 127.0.0.1

Source & flagged code

1 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` implements explicit `--install` configuration updates for Codex and Claude Desktop.

dist/index.jsView on unpkg

Findings

4 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowUrl Strings