AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked Cursor adapter can launch a local Cursor SDK helper with optional sandboxing and a localhost auth broker. This is a guarded AI-agent capability surface, not confirmed malware.
Decision evidence
public snapshot- build/adapters/cursor.js spawns build/adapters/cursor-node-helper.js for cursor provider requests
- build/adapters/cursor-node-helper.js creates @cursor/sdk Agent with apiKey,cwd,mcpServers,customTools
- build/adapters/cursor-isolation.js writes workspace isolation files and launches sandbox-exec/bwrap wrappers
- build/adapters/cursor-broker.js proxies Cursor auth to api.cursor.com and api2.cursor.sh
- package.json has no preinstall/install/postinstall lifecycle scripts
- build/index.js only exports cursor isolation APIs; import alone does not start broker or spawn helper
- isolation is opt-in via providerOptions.isolation during CursorAdapter.chat
- broker only forwards to Cursor-owned hosts and replaces dummy Cursor key with supplied real key
- child env filters CURSOR_API_KEY and common secrets unless explicitly allowed
Source & flagged code
4 flagged · loading sourceSource matches reverse-shell style process and socket wiring.
build/adapters/cursor-isolation.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
build/adapters/cursor-isolation.jsView on unpkg · L13This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
build/adapters/cursor-isolation.jsView on unpkgPackage source references child process execution.
build/adapters/cursor-isolation.jsView on unpkg · L13