AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Novada MCP server whose network, proxy, browser, and file-write behavior is exposed as documented user-invoked tools.
Decision evidence
public snapshot- MCP tools provide web scraping, proxy, and browser automation capabilities.
- build/tools/browser.js supports user-supplied page.evaluate in cloud browser sessions.
- build/tools/capture_apikey.js can return/reset Novada capture API keys when tool is invoked.
- package.json lifecycle hooks only build/test; no install-time execution or hidden downloader.
- build/index.js starts an MCP stdio server and registers explicit user-invoked tools.
- Network calls are to Novada service APIs or user-supplied URLs for package-aligned scraping/extraction.
- build/utils/output.js writes only tool outputs under ~/Downloads/novada-mcp with sanitization.
- Destructive account actions in capture_apikey, ip_whitelist, and static_ip_mgmt have confirm:true gates.
- skills/novada-agent/setup.sh only prints setup guidance.
Source & flagged code
8 flagged · loading sourcePackage ships non-JavaScript build or shell helper files.
skills/novada-agent/setup.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
build/utils/html.jsView on unpkgHardcoded password in build/tools/proxy_residential.js
build/tools/proxy_residential.jsView on unpkg · L124Hardcoded password in build/tools/proxy_account_create.js
build/tools/proxy_account_create.jsView on unpkg · L87Hardcoded password in build/tools/proxy_mobile.js
build/tools/proxy_mobile.jsView on unpkg · L127Hardcoded password in build/tools/proxy_datacenter.js
build/tools/proxy_datacenter.jsView on unpkg · L115Hardcoded password in build/tools/proxy_isp.js
build/tools/proxy_isp.jsView on unpkg · L117