registry  /  ai.libx.js  /  0.18.6

ai.libx.js@0.18.6

Unified API bridge for various AI models (LLMs, image/video generation, TTS, STT) - stateless, edge-compatible

AI Security Review

scanned 58m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The high-risk code is an opt-in Cursor adapter isolation feature, not install-time or import-time behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Runtime caller uses CursorAdapter with providerOptions.isolation or calls prepareIsolation/startBroker directly.
Impact
Creates workspace isolation files and proxies Cursor API traffic for the requested Cursor agent run.
Mechanism
user-invoked sandboxed Cursor helper spawn with localhost broker
Rationale
The scanner's reverse-shell-style finding maps to sandbox relay/broker plumbing that is only reached by explicit runtime Cursor isolation options and forwards to Cursor-owned hosts. With no lifecycle hook, import-time execution, exfiltration, persistence, or foreign AI-agent control mutation, this should not be blocked.
Evidence
package.jsonbuild/index.jsbuild/adapters/cursor.jsbuild/adapters/cursor-isolation.jsbuild/adapters/cursor-broker.jsbuild/adapters/cursor-node-helper.js<workspace>/.isolation/darwin.sb<workspace>/.isolation/relay.cjs<workspace>/.isolation-broker.sock<workspace>/.sbtmp~/.cursor/projects/<workspace-slug>
Network endpoints3
api.cursor.comapi2.cursor.sh127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • build/adapters/cursor-isolation.js exposes opt-in sandbox/broker code that spawns bwrap/sandbox-exec and writes isolation helper files at runtime.
  • build/adapters/cursor-broker.js proxies requests and injects a real Cursor key when a dummy sentinel bearer is used.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and main only exports modules.
  • build/index.js only re-exports adapters; it does not start isolation or broker on import.
  • build/adapters/cursor.js calls prepareIsolation only when caller supplies providerOptions.isolation.
  • build/adapters/cursor-broker.js forwards only to api.cursor.com or api2.cursor.sh, which are package-aligned Cursor endpoints.
  • build/adapters/cursor-isolation.js strips CURSOR_API_KEY from child env and limits child egress through the broker.
  • No credential harvesting, arbitrary remote payload loading, destructive action, persistence, or AI-agent config mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 754 KB of source, external domains: 127.0.0.1, ai.google.dev, ai.libx.js, api.ai21.com, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.groq.com, api.inceptionlabs.ai, api.mistral.ai, api.moonshot.ai, api.openai.com, api.x.ai, cursor.com, developers.cloudflare.com, docs.anthropic.com, docs.x.ai, generativelanguage.googleapis.com, openrouter.ai, upload.wikimedia.org

Source & flagged code

4 flagged · loading source
build/adapters/cursor-isolation.jsView file
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

build/adapters/cursor-isolation.jsView on unpkg · L13
13Trigger-reachable chain: manifest.main -> build/index.js -> build/adapters/cursor-isolation.js L13: exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

build/adapters/cursor-isolation.jsView on unpkg · L13
matchType = previous_version_dangerous_delta matchedPackage = ai.libx.js@0.18.4 matchedIdentity = npm:YWkubGlieC5qcw:0.18.4 similarity = 0.981 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/adapters/cursor-isolation.jsView on unpkg
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs");
High
Child Process

Package source references child process execution.

build/adapters/cursor-isolation.jsView on unpkg · L13

Findings

3 Critical2 High3 Medium4 Low
CriticalReverse Shellbuild/adapters/cursor-isolation.js
CriticalTrigger Reachable Dangerous Capabilitybuild/adapters/cursor-isolation.js
CriticalPrevious Version Dangerous Deltabuild/adapters/cursor-isolation.js
HighChild Processbuild/adapters/cursor-isolation.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings