registry  /  ai.libx.js  /  0.18.2

ai.libx.js@0.18.2

Unified API bridge for various AI models (LLMs, image/video generation, TTS, STT) - stateless, edge-compatible

AI Security Review

scanned 10h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are package-aligned Cursor adapter functionality activated by user runtime configuration, with no install-time or import-time execution.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runtime selection of the cursor provider, optionally with providerOptions.isolation.
Impact
Runs a user-requested Cursor agent helper and may create isolation artifacts in the supplied workspace; no unsolicited exfiltration or persistence was confirmed.
Mechanism
Cursor SDK helper subprocess and optional sandbox/broker setup
Rationale
Static inspection shows dangerous-looking child_process, network, and filesystem writes are confined to an explicit Cursor adapter/isolation feature and are not triggered by install or import. With no concrete unconsented mutation, exfiltration, persistence, or remote payload execution, this should be marked clean despite noisy scanner labels.
Evidence
package.jsonbuild/index.jsbuild/adapters/cursor.jsbuild/adapters/cursor-node-helper.jsbuild/adapters/cursor-isolation.jsbuild/adapters/cursor-broker.jssrc/adapters/cursor-isolation.tssrc/adapters/cursor-broker.ts.sbtmp.isolation/darwin.sb.isolation/relay.cjs.isolation-broker.sock~/.cursor/projects/<workspace>
Network endpoints2
api.cursor.comapi2.cursor.sh

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • build/adapters/cursor.js spawns build/adapters/cursor-node-helper.js when the user selects the cursor provider.
  • build/adapters/cursor-node-helper.js dynamically requires @cursor/sdk and can run Cursor agent local/custom tools via user-supplied requests.
  • build/adapters/cursor-isolation.js can write .sbtmp, .isolation/darwin.sb, .isolation/relay.cjs, .isolation-broker.sock, and ~/.cursor/projects/<workspace> when providerOptions.isolation is explicitly enabled.
  • build/adapters/cursor-broker.js proxies requests with a real Cursor API key to api.cursor.com and api2.cursor.sh.
Evidence against
  • package.json has no preinstall/install/postinstall or other lifecycle hooks.
  • build/index.js only exports adapters/utilities; importing the package does not spawn helpers or start the broker.
  • Cursor helper execution is gated by runtime use of the cursor adapter, not install-time or import-time behavior.
  • Isolation setup is default-off and user-configured through providerOptions.isolation with a caller-supplied workspace.
  • No code found for credential harvesting beyond normal API key handling, arbitrary remote payload download, persistence, destructive actions, or broad AI-agent config mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 746 KB of source, external domains: 127.0.0.1, ai.google.dev, ai.libx.js, api.ai21.com, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.groq.com, api.inceptionlabs.ai, api.mistral.ai, api.moonshot.ai, api.openai.com, api.x.ai, cursor.com, developers.cloudflare.com, docs.anthropic.com, docs.x.ai, generativelanguage.googleapis.com, openrouter.ai, upload.wikimedia.org

Source & flagged code

4 flagged · loading source
build/adapters/cursor-isolation.jsView file
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L37: try { L38: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L39: if (p && (0, node_fs_1.existsSync)(p)) ... L48: for (let i = 0; i < 24; i++) { L49: const pj = (0, node_path_1.join)(d, 'package.json'); L50: if ((0, node_fs_1.existsSync)(pj)) { L51: try { L52: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L53: return d;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

build/adapters/cursor-isolation.jsView on unpkg · L13
13Trigger-reachable chain: manifest.main -> build/index.js -> build/adapters/cursor-isolation.js L13: exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L37: try { L38: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L39: if (p && (0, node_fs_1.existsSync)(p)) ... L48: for (let i = 0; i < 24; i++) { L49: const pj = (0, node_path_1.join)(d, 'package.json'); L50: if ((0, node_fs_1.existsSync)(pj)) { L51: try { L52: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L53: return d;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

build/adapters/cursor-isolation.jsView on unpkg · L13
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs");
High
Child Process

Package source references child process execution.

build/adapters/cursor-isolation.jsView on unpkg · L13
build/adapters/cursor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ai.libx.js@0.18.1 matchedIdentity = npm:YWkubGlieC5qcw:0.18.1 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/adapters/cursor.jsView on unpkg

Findings

3 Critical2 High3 Medium4 Low
CriticalReverse Shellbuild/adapters/cursor-isolation.js
CriticalTrigger Reachable Dangerous Capabilitybuild/adapters/cursor-isolation.js
CriticalPrevious Version Dangerous Deltabuild/adapters/cursor.js
HighChild Processbuild/adapters/cursor-isolation.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings