registry  /  ai.libx.js  /  0.18.4

ai.libx.js@0.18.4

Unified API bridge for various AI models (LLMs, image/video generation, TTS, STT) - stateless, edge-compatible

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked Cursor adapter can launch a local Cursor SDK helper with optional sandboxing and a localhost auth broker. This is a guarded AI-agent capability surface, not confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Calling AIClient.chat with a cursor/* model or directly using CursorAdapter/prepareIsolation
Impact
Cursor agent may operate in the configured cwd with caller-supplied tools/MCP servers; no install-time persistence or broad agent hijack found
Mechanism
user-invoked Cursor agent helper and optional isolation broker
Rationale
The flagged child_process and socket patterns are real but are part of an explicit Cursor provider/isolation feature reached by user API calls, not npm install or import-time code. Because this exposes an AI-agent execution surface with cwd/tool/MCP capabilities, warn rather than block.
Evidence
package.jsonbuild/index.jsbuild/adapters/cursor.jsbuild/adapters/cursor-node-helper.jsbuild/adapters/cursor-isolation.jsbuild/adapters/cursor-broker.js.isolation/darwin.sb.isolation/relay.cjs.isolation-broker.sock.sbtmp~/.cursor/projects/<workspace-slug>
Network endpoints3
api.cursor.comapi2.cursor.sh127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • build/adapters/cursor.js spawns build/adapters/cursor-node-helper.js for cursor provider requests
  • build/adapters/cursor-node-helper.js creates @cursor/sdk Agent with apiKey,cwd,mcpServers,customTools
  • build/adapters/cursor-isolation.js writes workspace isolation files and launches sandbox-exec/bwrap wrappers
  • build/adapters/cursor-broker.js proxies Cursor auth to api.cursor.com and api2.cursor.sh
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • build/index.js only exports cursor isolation APIs; import alone does not start broker or spawn helper
  • isolation is opt-in via providerOptions.isolation during CursorAdapter.chat
  • broker only forwards to Cursor-owned hosts and replaces dummy Cursor key with supplied real key
  • child env filters CURSOR_API_KEY and common secrets unless explicitly allowed
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 751 KB of source, external domains: 127.0.0.1, ai.google.dev, ai.libx.js, api.ai21.com, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.groq.com, api.inceptionlabs.ai, api.mistral.ai, api.moonshot.ai, api.openai.com, api.x.ai, cursor.com, developers.cloudflare.com, docs.anthropic.com, docs.x.ai, generativelanguage.googleapis.com, openrouter.ai, upload.wikimedia.org

Source & flagged code

4 flagged · loading source
build/adapters/cursor-isolation.jsView file
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

build/adapters/cursor-isolation.jsView on unpkg · L13
13Trigger-reachable chain: manifest.main -> build/index.js -> build/adapters/cursor-isolation.js L13: exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

build/adapters/cursor-isolation.jsView on unpkg · L13
matchType = previous_version_dangerous_delta matchedPackage = ai.libx.js@0.18.2 matchedIdentity = npm:YWkubGlieC5qcw:0.18.2 similarity = 0.981 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/adapters/cursor-isolation.jsView on unpkg
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs");
High
Child Process

Package source references child process execution.

build/adapters/cursor-isolation.jsView on unpkg · L13

Findings

3 Critical2 High3 Medium4 Low
CriticalReverse Shellbuild/adapters/cursor-isolation.js
CriticalTrigger Reachable Dangerous Capabilitybuild/adapters/cursor-isolation.js
CriticalPrevious Version Dangerous Deltabuild/adapters/cursor-isolation.js
HighChild Processbuild/adapters/cursor-isolation.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings