registry  /  ai-project-manage-cli  /  7.1.1

ai-project-manage-cli@7.1.1

命令行工具:后续用于调用平台后端 API 完成运维与自动化操作

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `apm connect`, `apm connect --daemon`, or deployment commands.
Impact
A configured platform can direct Cursor-agent work in a supplied workspace; deployment commands can build, push, and replace remote containers.
Mechanism
Platform-delivered AI-agent task execution plus user-invoked deployment and global self-update.
Rationale
Source inspection does not support the scanner's malicious verdict: there is no install hook, stealth payload, or confirmed credential exfiltration. The documented remote agent-control and deployment capabilities remain high-impact and warrant a warning.
Evidence
package.jsonREADME.mddist/index.jsdist/webide-message-worker.js~/.config/apm/config.json.apm/.apm/apm.config.json.apm/project/
Network endpoints3
127.0.0.1:3000/api/v1ws://127.0.0.1:3000/ws/agentregistry.npmjs.org/ai-project-manage-cli

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` `connect` opens an authenticated WebSocket and dispatches platform messages.
  • `dist/webide-message-worker.js` sends received prompt/workdir/API-key fields to `@cursor/sdk` agents.
  • `dist/index.js` runs `npm install -g ai-project-manage-cli@…` automatically before `connect` and daemon start.
  • Explicit deploy commands execute Docker, Maven, SSH, and SFTP operations using project configuration.
Evidence against
  • `package.json` has only `prepublishOnly`; published install has no preinstall/install/postinstall hook.
  • No `eval`, `Function`, VM loading, downloaded-code execution, or foreign Cursor/Claude/Codex config paths were found.
  • Network use, PM2 persistence, and project writes are attached to documented explicit CLI commands.
  • Default server is local `127.0.0.1`; other platform endpoints require user configuration/login.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 351 KB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
dist/index.jsView file
540// src/git-remote.ts L541: import { execFile } from "child_process"; L542: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L540
4284cwd, L4285: shell: true, L4286: env,
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4284
1955function runNpm(args, options = {}) { L1956: return spawnSync(useNpmShell ? "npm.cmd" : "npm", args, { L1957: ...options, ... L1961: function registryBaseUrl() { L1962: const fromEnv = process.env.npm[redacted]?.trim() || process.env.NPM_CONFIG_REGISTRY?.trim(); L1963: return (fromEnv || "https://registry.npmjs.org").replace(/\/+$/, ""); L1964: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1955
9Cross-file remote execution chain: dist/index.js spawns dist/webide-message-worker.js; helper contains network access plus dynamic code execution. L9: import { join } from "path"; L10: var APM_CONFIG_DIR = join(homedir(), ".config", "apm"); L11: var APM_CONFIG_PATH = join(APM_CONFIG_DIR, "config.json"); L12: var DEFAULT_BASE_URL = "http://127.0.0.1:3000"; L13: function resolveClientMachineId(cfg) { ... L21: const raw = readFileSync(APM_CONFIG_PATH, "utf8"); L22: const v = JSON.parse(raw); L23: if (typeof v !== "object" || v === null) { ... L77: const origin = httpBaseToWsOrigin(httpBase); L78: const q = new URLSearchParams({ apiKey }); L79: return `${origin}/ws/agent?${q.toString()}`; ... L540: // src/git-remote.ts
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L9
dist/webide-message-worker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ai-project-manage-cli@6.0.111 matchedIdentity = npm:YWktcHJvamVjdC1tYW5hZ2UtY2xp:6.0.111 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/webide-message-worker.jsView on unpkg

Findings

1 Critical4 High2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/webide-message-worker.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License