AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User starts the CLI and invokes MCP browser or network tools.
Impact
A connected AI client can use active browser session cookies and bypass CORS for caller-supplied targets.
Mechanism
Stealth browser automation with Turnstile clicking and browser-context request replay.
Rationale
No concrete malicious chain is present, but the exposed MCP features are a dangerous dual-use browser capability. Per firewall policy, this warrants a warning rather than a block.
Evidence
package.jsondist/src/shared/lib-core.jsdist/src/mcp/handlers/network.jsdist/src/shared/tools.jslib/esm/module/turnstile.mjsdist/src/index.jsdist/src/mcp/server.jsdist/src/mcp/handlers/browser.js.cache/browser_state.json.cache/activity_log.json
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/src/shared/lib-core.js` launches Patchright with `--disable-blink-features=AutomationControlled` and no-sandbox flags.
- `lib/esm/module/turnstile.mjs` detects Cloudflare challenges and clicks candidate Turnstile controls.
- `dist/src/mcp/handlers/network.js` replays caller-supplied requests in the browser context and returns response bodies.
- `dist/src/shared/tools.js` exposes request replay with attached browser cookies and CORS bypass.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- `dist/src/index.js` starts the MCP server only when its CLI entrypoint is invoked.
- No source writes AI-agent configuration; writes are cache/log files or caller-specified output paths.
- No fixed exfiltration endpoint, credential harvesting, remote payload loader, or destructive action was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsObfuscatedUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcedist/src/shared/lib-core.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/src/shared/lib-core.js` launches Patchright with `--disable-blink-features=AutomationControlled` and no-sandbox flags.
dist/src/shared/lib-core.jsView on unpkgFindings
5 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumAi Review Evidencedist/src/shared/lib-core.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings