AI Security Review
scanned 3h ago · by lpm-firewall-aiThe runtime MCP server provides authenticated remote VM automation, including execution of caller-supplied Python. An explicit setup command can register this package as a Cursor MCP server; no install-time control-surface mutation was found.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the setup CLI or invokes VM tools through a configured MCP client with valid workspace credentials.
Impact
A connected AI client can cause arbitrary script execution on VMs authorized for the configured Minicor workspace.
Mechanism
Authenticated remote VM script execution and explicit Cursor MCP configuration.
Rationale
Source inspection found a real, high-impact remote-execution capability, but it is explicit, authenticated, and aligned with the declared RPA/VM product. The package is not concretely malicious, though its capability warrants a warning classification.
Evidence
package.jsondist/setup.jsdist/tools/vm.jsdist/seed-skills.jsdist/paths.jsdist/disk-token-store.js
Network endpoints3
api.laminar.runca.api.laminar.runlam-vm-service-ernfuwetfa-uc.a.run.app
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with high false-positive risk.
Evidence for warning
- `dist/tools/vm.js` exposes `vm_execute_script` to run supplied Python on authenticated VMs.
- `dist/tools/vm.js` can request remote `/run-script` actions, including desktop-service installation.
- `dist/setup.js` writes a Cursor MCP entry when the user runs its setup command.
- `dist/seed-skills.js` uploads bundled skills using stored auth and an explicit admin key.
Evidence against
- `package.json` has only `prepare: npm run build`; no preinstall/install/postinstall hook.
- MCP config mutation is confined to the explicit `minicor-mcp-setup` command.
- Network calls target Minicor/Laminar API and VM-service endpoints consistent with the package purpose.
- No inspected source showed credential harvesting, stealth persistence, obfuscated payloads, or foreign-agent mutation during install.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/setup.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @minicor/mcp-server@3.6.0
matchedIdentity = npm:QG1pbmljb3IvbWNwLXNlcnZlcg:3.6.0
similarity = 0.756
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/setup.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/setup.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings