AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `decantr connect cursor` or `decantr rules apply`.
Impact
Can influence enabled AI-agent behavior in the selected project and delegate to `@decantr/mcp-server` when Cursor starts it.
Mechanism
Writes project AI-agent rules and registers an npx-launched MCP server.
Rationale
Direct inspection confirms an explicit-user-command AI-agent configuration feature, but no install-time execution, stealth persistence, exfiltration, or destructive behavior. Per policy, classify this first-party explicit agent-control mutation as suspicious rather than malicious.
Evidence
package.jsondist/bin.jsdist/chunk-GBIOY7B7.jsdist/chunk-GUMN6SP3.jsdist/chunk-JKSHNJOD.jsdist/chunk-L4JPSMQW.js.cursor/mcp.json.cursor/rules/decantr.mdc.claude/rules/decantr.mdCLAUDE.mdAGENTS.mdGEMINI.mdcopilot-instructions.md.github/copilot-instructions.md.cursorrules.windsurfrules
Network endpoints1
api.decantr.ai/v1
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/chunk-GBIOY7B7.js` implements `decantr connect cursor`, writing `.cursor/mcp.json` with `npx -y @decantr/mcp-server`.
- `dist/chunk-GBIOY7B7.js` implements explicit `decantr rules apply`, modifying existing `CLAUDE.md`, `AGENTS.md`, Cursor, Windsurf, Gemini, and Copilot rule files.
- The Cursor MCP registration can cause an external MCP package to be launched by Cursor after the user enables the connection.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- Agent-control writes occur only through user-invoked `connect cursor` or `rules apply` commands.
- MCP config preserves existing servers and uses a project-local `.cursor/mcp.json` path.
- Telemetry requires a project opt-in and a caller-configured endpoint in `dist/chunk-GUMN6SP3.js`.
- No `eval`, VM execution, shell-enabled child process, credential harvesting, or hidden import-time persistence was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/chunk-GBIOY7B7.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @decantr/cli@3.8.0
matchedIdentity = npm:QGRlY2FudHIvY2xp:3.8.0
similarity = 0.615
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-GBIOY7B7.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/chunk-GBIOY7B7.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings