AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package exposes an explicit Cursor-agent runtime adapter that launches a helper subprocess. When requested, it can let the Cursor SDK use native tools in the caller-selected working directory; optional isolation constrains that helper and its egress.
Decision evidence
public snapshot- `src/adapters/cursor.ts` explicitly spawns a Node helper for Cursor agent runs.
- `src/adapters/cursor-node-helper.ts` invokes the Cursor SDK, whose native tools can act in the supplied working directory.
- `src/adapters/cursor-isolation.ts` writes sandbox/relay files and launches `sandbox-exec` or `bwrap` when isolation is requested.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Cursor execution is reached only through `CursorAdapter.chat`; importing the package does not start it.
- Isolation is opt-in and uses an environment allowlist plus a restricted workspace.
- `src/adapters/cursor-broker.ts` forwards only to `api.cursor.com` and `api2.cursor.sh`; no arbitrary exfiltration target was found.
- No source writes foreign AI-agent configuration, hooks, or broad host persistence.
Source & flagged code
3 flagged · loading sourceSource matches reverse-shell style process and socket wiring.
build/adapters/cursor-isolation.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
build/adapters/cursor-isolation.jsView on unpkg · L13Package source references child process execution.
build/adapters/cursor-isolation.jsView on unpkg · L13