AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs the `preset` or `ai-agent-sync` Nx generator.
Impact
A generated workspace may load MCP servers, including floating `@latest` npx packages, when its editor/agent uses the configuration.
Mechanism
Writes AI-agent config and symlinks shared skills; registers MCP commands.
Rationale
No concrete malicious behavior was found by source inspection. The explicit generator-driven AI-agent configuration mutation is a non-blocking but meaningful capability risk.
Evidence
package.jsonsrc/generators/ai-agent-sync/generator.jssrc/generators/preset/generator.jssrc/generators/utils/link-claude-skills.jssrc/generators/preset/files/.cursor/mcp.json.cursor/mcp.json.agents/skillsAGENTS.mdCLAUDE.md.claude/skills
Network endpoints1
mcp.trackunit.ai/mcp
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `ai-agent-sync` explicitly writes Cursor, agent, and root AI-instruction files.
- Generated `.cursor/mcp.json` registers two `npx -y ...@latest` MCP commands and `https://mcp.trackunit.ai/mcp`.
- The preset/sync generators create `.claude/skills` symlink to generated agent skills.
- Agent-config changes occur only when the user invokes an Nx generator; no package lifecycle hook exists.
Evidence against
- `package.json` has no `scripts`, including no preinstall/install/postinstall hook.
- Symlink helper refuses to replace an existing file, directory, or differing symlink.
- Network code is limited to user-invoked Trackunit authentication, submission, approval, and unpublish flows.
- No child-process, eval/vm, payload download-and-execute, credential harvesting, or stealth persistence was found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcecursor/mcp.jsonView file
•Published source reference
Medium
Ai Review Evidence
Generated `.cursor/mcp.json` registers two `npx -y ...@latest` MCP commands and `https://mcp.trackunit.ai/mcp`.
cursor/mcp.jsonView on unpkgFindings
6 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidencecursor/mcp.json
MediumAi Review Evidence
MediumSuspicious Lifecycle Evidence
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License