registry  /  @xerg/cli  /  0.7.0

@xerg/cli@0.7.0

Find wasted AI spend in OpenClaw, Hermes, Claude Code, and Cursor — plus any framework via event ingest.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `xerg mcp-setup`, `xerg audit --push`/`xerg push`, or remote audit commands.
Impact
A confirmed MCP configuration can grant the Xerg endpoint the configured client capabilities; opt-in audit pushes disclose audit-summary data to Xerg.
Mechanism
Prompt-gated MCP config write and opt-in hosted audit transport.
Rationale
Source inspection confirms opt-in cloud push, remote collection, and a prompt-gated Cursor MCP configuration write. There is no concrete malicious behavior, but explicit agent configuration mutation remains a non-blocking risk.
Evidence
package.jsondist/index.jsREADME.mdskills/xerg/SKILL.md.cursor/mcp.json~/.config/xerg/credentials.json~/.xerg/config.json~/.xerg/update-check.json
Network endpoints3
api.xerg.aimcp.xerg.ai/mcpregistry.npmjs.org/@xerg/cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` runs `mcp-setup` only after an explicit command and interactive prompts.
  • `mcp-setup` can write `.cursor/mcp.json` with an authenticated remote MCP server.
  • `audit --push` sends audit summaries to Xerg only when the push path is selected.
  • SSH/Railway collection executes user-invoked remote inspection commands to retrieve agent logs.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • CLI dispatch requires a user command; import/startup has no credential harvest or payload execution.
  • MCP writes are limited to an existing project `.cursor` directory and require confirmation.
  • No `eval`, `Function`, VM execution, or untrusted remote-code loader was found.
  • Network hosts are Xerg endpoints and npm registry; push/login use configured Xerg credentials.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 349 KB of source, external domains: api.xerg.ai, mcp.xerg.ai, registry.npmjs.org, staging.xerg.ai, xerg.ai

Source & flagged code

3 flagged · loading source
dist/index.jsView file
7074// src/transport/ssh.ts L7075: import { execSync, spawnSync } from "child_process"; L7076: import { createHash as createHash2 } from "crypto";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7074
8560if (chunk.includes("\n") || chunk.includes("\r")) { L8561: process.stderr.write("\n"); L8562: return; ... L8567: rl.close(); L8568: resolve4(answer); L8569: }); ... L8572: async function openBrowser(url) { L8573: const { exec } = await import("child_process"); L8574: const { platform: platform2 } = await import("os");
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L8560
26function detectPackageExecutor(context) { L27: const env = context?.env ?? process.env; L28: const argv2 = context?.argv ?? process.argv; L29: const userAgent = normalizeSignal(env.npm[redacted]); L30: const execPath = normalizeSignal(env.npm_execpath); ... L1866: ...row.inputWithCacheWriteTokens > 0 ? { cacheWriteTokens: row.inputWithCacheWriteTokens } : {}, L1867: metadata: { L1868: source: "cursor-usage-csv", ... L2103: try { L2104: return normalizeStore(JSON.parse(readFileSync2(path, "utf8"))).auditSnapshots.sort( L2105: (left, right) => right.createdAt.localeCompare(left.createdAt) ... L2108: const message = error instanceof Error ? error.message : "Unknown error";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L26

Findings

3 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License