AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `xerg mcp-setup`, `xerg audit --push`/`xerg push`, or remote audit commands.
Impact
A confirmed MCP configuration can grant the Xerg endpoint the configured client capabilities; opt-in audit pushes disclose audit-summary data to Xerg.
Mechanism
Prompt-gated MCP config write and opt-in hosted audit transport.
Rationale
Source inspection confirms opt-in cloud push, remote collection, and a prompt-gated Cursor MCP configuration write. There is no concrete malicious behavior, but explicit agent configuration mutation remains a non-blocking risk.
Evidence
package.jsondist/index.jsREADME.mdskills/xerg/SKILL.md.cursor/mcp.json~/.config/xerg/credentials.json~/.xerg/config.json~/.xerg/update-check.json
Network endpoints3
api.xerg.aimcp.xerg.ai/mcpregistry.npmjs.org/@xerg/cli/latest
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` runs `mcp-setup` only after an explicit command and interactive prompts.
- `mcp-setup` can write `.cursor/mcp.json` with an authenticated remote MCP server.
- `audit --push` sends audit summaries to Xerg only when the push path is selected.
- SSH/Railway collection executes user-invoked remote inspection commands to retrieve agent logs.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- CLI dispatch requires a user command; import/startup has no credential harvest or payload execution.
- MCP writes are limited to an existing project `.cursor` directory and require confirmation.
- No `eval`, `Function`, VM execution, or untrusted remote-code loader was found.
- Network hosts are Xerg endpoints and npm registry; push/login use configured Xerg credentials.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
7074// src/transport/ssh.ts
L7075: import { execSync, spawnSync } from "child_process";
L7076: import { createHash as createHash2 } from "crypto";
High
8560if (chunk.includes("\n") || chunk.includes("\r")) {
L8561: process.stderr.write("\n");
L8562: return;
...
L8567: rl.close();
L8568: resolve4(answer);
L8569: });
...
L8572: async function openBrowser(url) {
L8573: const { exec } = await import("child_process");
L8574: const { platform: platform2 } = await import("os");
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L856026function detectPackageExecutor(context) {
L27: const env = context?.env ?? process.env;
L28: const argv2 = context?.argv ?? process.argv;
L29: const userAgent = normalizeSignal(env.npm[redacted]);
L30: const execPath = normalizeSignal(env.npm_execpath);
...
L1866: ...row.inputWithCacheWriteTokens > 0 ? { cacheWriteTokens: row.inputWithCacheWriteTokens } : {},
L1867: metadata: {
L1868: source: "cursor-usage-csv",
...
L2103: try {
L2104: return normalizeStore(JSON.parse(readFileSync2(path, "utf8"))).auditSnapshots.sort(
L2105: (left, right) => right.createdAt.localeCompare(left.createdAt)
...
L2108: const message = error instanceof Error ? error.message : "Unknown error";
Low
Findings
3 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License