AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package exposes user-invoked MCP tools for web search, extraction, crawling, proxies, browser automation, and account management, aligned with its manifest and README.
Decision evidence
public snapshot- User-invoked tools can fetch arbitrary URLs and write extracted output under ~/Downloads/novada-mcp (build/tools/site_copy.js, build/utils/output.js).
- Proxy/account tools read NOVADA_* credentials and call Novada management/API hosts when invoked (build/utils/credentials.js, build/_core/developer_api.js).
- package.json lifecycle hooks are build/test-only; prepare runs npm run build and prepublishOnly blocks local .env before publishing.
- Entrypoint build/index.js starts an MCP stdio server; no install-time credential harvesting or persistence found.
- Network endpoints are Novada service APIs or user-supplied URLs for the package's declared search/scrape/crawl/proxy purpose.
- Filesystem writes are bounded to generated outputs under ~/Downloads/novada-mcp with filename sanitization/path checks.
- skills/novada-agent/setup.sh only prints setup guidance; no downloads, shell execution, or file mutation.
- No child_process, eval/vm/Function, native binary loading, destructive commands, or AI-agent config mutation found in inspected files.
Source & flagged code
8 flagged · loading sourcePackage ships non-JavaScript build or shell helper files.
skills/novada-agent/setup.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
build/tools/site_copy.jsView on unpkgHardcoded password in build/tools/proxy_residential.js
build/tools/proxy_residential.jsView on unpkg · L124Hardcoded password in build/tools/proxy_account_create.js
build/tools/proxy_account_create.jsView on unpkg · L87Hardcoded password in build/tools/proxy_mobile.js
build/tools/proxy_mobile.jsView on unpkg · L127Hardcoded password in build/tools/proxy_datacenter.js
build/tools/proxy_datacenter.jsView on unpkg · L115Hardcoded password in build/tools/proxy_isp.js
build/tools/proxy_isp.jsView on unpkg · L117