registry  /  ai.libx.js  /  0.18.12

ai.libx.js@0.18.12

Unified API bridge for various AI models (LLMs, image/video generation, TTS, STT) - stateless, edge-compatible

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package exposes an explicit Cursor-agent runtime adapter that launches a helper subprocess. When requested, it can let the Cursor SDK use native tools in the caller-selected working directory; optional isolation constrains that helper and its egress.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer calls `CursorAdapter.chat` with a `cursor/*` model; isolation activates only when `providerOptions.isolation` is supplied.
Impact
A caller can delegate workspace file/shell-capable agent work to Cursor; this is a real dual-use capability, not install-time or covert execution.
Mechanism
User-invoked Cursor SDK subprocess with optional OS sandbox and credential-brokering proxy.
Rationale
The reverse-shell heuristic is a false characterization of a localhost-to-Unix-socket relay used by optional sandboxing. The package is not malicious, but it exposes a user-invoked, file/shell-capable AI-agent integration that warrants a warning classification.
Evidence
package.jsonsrc/adapters/cursor.tssrc/adapters/cursor-node-helper.tssrc/adapters/cursor-isolation.tssrc/adapters/cursor-broker.tsbuild/adapters/cursor-broker.jsbuild/adapters/cursor.jsbuild/adapters/cursor-node-helper.jsbuild/adapters/cursor-isolation.js
Network endpoints2
api.cursor.comapi2.cursor.sh

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/adapters/cursor.ts` explicitly spawns a Node helper for Cursor agent runs.
  • `src/adapters/cursor-node-helper.ts` invokes the Cursor SDK, whose native tools can act in the supplied working directory.
  • `src/adapters/cursor-isolation.ts` writes sandbox/relay files and launches `sandbox-exec` or `bwrap` when isolation is requested.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Cursor execution is reached only through `CursorAdapter.chat`; importing the package does not start it.
  • Isolation is opt-in and uses an environment allowlist plus a restricted workspace.
  • `src/adapters/cursor-broker.ts` forwards only to `api.cursor.com` and `api2.cursor.sh`; no arbitrary exfiltration target was found.
  • No source writes foreign AI-agent configuration, hooks, or broad host persistence.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 765 KB of source, external domains: 127.0.0.1, ai.google.dev, ai.libx.js, api.ai21.com, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.groq.com, api.inceptionlabs.ai, api.mistral.ai, api.moonshot.ai, api.openai.com, api.x.ai, cursor.com, developers.cloudflare.com, docs.anthropic.com, docs.x.ai, generativelanguage.googleapis.com, openrouter.ai, upload.wikimedia.org

Source & flagged code

3 flagged · loading source
build/adapters/cursor-isolation.jsView file
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

build/adapters/cursor-isolation.jsView on unpkg · L13
13Trigger-reachable chain: manifest.main -> build/index.js -> build/adapters/cursor-isolation.js L13: exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

build/adapters/cursor-isolation.jsView on unpkg · L13
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs");
High
Child Process

Package source references child process execution.

build/adapters/cursor-isolation.jsView on unpkg · L13

Findings

2 Critical2 High3 Medium4 Low
CriticalReverse Shellbuild/adapters/cursor-isolation.js
CriticalTrigger Reachable Dangerous Capabilitybuild/adapters/cursor-isolation.js
HighChild Processbuild/adapters/cursor-isolation.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings