AI Security Review
scanned 50m ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network access is package-aligned browser rendering of caller-supplied URLs, with default SSRF-style blocks for local and metadata targets.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports API, starts ScreenPool/HTTP server, or runs the screenpool CLI.
Impact
Can fetch and render user-requested web pages; no evidence of unconsented install-time execution or data exfiltration.
Mechanism
Headless Chromium screenshot/PDF/extraction pool with guarded URL validation.
Rationale
The suspicious metadata strings are part of a default denylist, and process/env/file primitives are aligned with Chromium resolution, memory checks, and explicit CLI output. Source inspection found no concrete malicious chain or install-time behavior.
Evidence
package.jsondist/index.jsdist/cli.jsdist/http/createScreenPoolServer.jsdist/cli.js writes caller-requested output filesdist/index.js reads /proc/<pid>/status on Linux
Network endpoints3
metadata.google.internalmetadata169.254.169.254
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js and dist/cli.js launch Chromium and navigate to user-provided URLs at runtime.
- dist/index.js supports user-provided injectJS via page.evaluate, a dual-use rendering feature.
- dist/cli.js can write rendered outputs to user-specified paths; absolute paths are allowed by design.
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build script.
- dist/index.js blocks file://, localhost, private/link-local networks, 169.254.169.254, and metadata hostnames by default.
- dist/index.js child_process usage is limited to execFile('ps', ...) for browser memory measurement.
- No credential harvesting, exfiltration endpoints, payload download, persistence, destructive behavior, or AI-agent control writes found.
- dist/http/createScreenPoolServer.js exposes render routes only when user explicitly starts the server.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
31function resolveConfig(config) {
L32: const outputDir = config.outputDir ?? config.storage?.outputDir ?? process.env.SCREENPOOL_OUTPUT_DIR ?? DEFAULT_OUTPUT_DIR;
L33: const tempDir = config.storage?.tempDir ?? process.env.SCREENPOOL_TEMP_DIR ?? `${os.tmpdir()}/screenpool`;
...
L44: allowLocalhost: config.allowLocalhost ?? false,
L45: allowPrivateNetworks: config.allowPrivateNetworks ?? false,
L46: allowFileProtocol: config.allowFileProtocol ?? false,
...
L226: }
L227: dirs.add(join(homedir(), ".cache", "puppeteer"));
L228: dirs.add(process.cwd());
...
L409: // src/utils/processMemory.ts
L410: import { execFile } from "child_process";
L411: import { readFile } from "fs/promises";
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/index.jsView on unpkg · L31Findings
1 High1 Medium3 Low
HighCloud Metadata Accessdist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem