registry  /  getprimer  /  0.14.8

getprimer@0.14.8

Shared memory for AI agents — works in Cursor, Claude Code, Windsurf, Zed, VS Code, and anything with MCP.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `primer init` configures detected AI clients, writes project agent files, and installs a Git post-commit hook. It can also install a Cursor `preToolUse` policy hook in the user's home directory. Daemon sync is network-capable after user configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `primer init`, `primer connect`, or global daemon commands.
Impact
Changes AI-agent and Git control surfaces after explicit CLI use; hook can deny tool actions and daemon can synchronize Primer workspace data.
Mechanism
First-party AI-agent configuration, hooks, local daemon persistence, and optional cloud sync.
Rationale
Source inspection confirms broad AI-agent and Git configuration writes plus optional cloud synchronization, but no install-time execution or concrete malicious/exfiltration chain. Flag as warn for the explicit setup and persistence capability.
Evidence
package.jsonout/cli.jsout/daemon.jsout/hook.jsout/sdk.js.mcp.json.vscode/mcp.json~/.cursor/hooks.json.git/hooks/post-commitAGENTS.md.gitattributes.primer/agent/workspace.json
Network endpoints4
www.getprimer.cloudxffienfndbalfaawhaqp.supabase.coprimer-relay.primerctx.workers.devprimer-presence.joshuajaimon8.workers.dev

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `out/cli.js` `primer init` auto-writes MCP entries for detected AI tools.
  • `out/cli.js` auto-installs a `preToolUse` hook in `~/.cursor/hooks.json` when Cursor is detected.
  • `out/cli.js` adds a `.git/hooks/post-commit` hook and creates project `AGENTS.md`.
  • `out/cli.js` supports user-service persistence through launchd, systemd, and scheduled tasks.
  • `out/daemon.js` syncs workspace data to configured Supabase/Cloudflare endpoints.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • The configuration and hook writes are reached from explicit CLI commands such as `primer init` and `primer connect`.
  • Cursor hook behavior in `out/hook.js` enforces local policy and only posts to a user-configured webhook.
  • Network code targets disclosed Primer service endpoints or user-provided URLs.
  • No source evidence of credential harvesting, stealth payload download, or arbitrary remote code execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 3.30 MB of source, external domains: 127.0.0.1, getprimer.cloud, github.com, json-schema.org, primer-presence.joshuajaimon8.workers.dev, primer-relay.primerctx.workers.dev, raw.githubusercontent.com, registry.npmjs.org, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.apple.com, www.getprimer.cloud, www.safaribooksonline.com, www.w3.org, xffienfndbalfaawhaqp.supabase.co

Source & flagged code

12 flagged · loading source
out/cli.jsView file
21454patternName = supabase_service_key severity = critical line = 21454 matchedText = const SU...qI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

out/cli.jsView on unpkg · L21454
matchType = previous_version_dangerous_delta matchedPackage = getprimer@0.14.4 matchedIdentity = npm:Z2V0cHJpbWVy:0.14.4 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

out/cli.jsView on unpkg
21454patternName = supabase_service_key severity = critical line = 21454 matchedText = const SU...qI";
Critical
Secret Pattern

Supabase service role key (JWT) in out/cli.js

out/cli.jsView on unpkg · L21454
340fs.writeFileSync(WIN_BAT_FILE(root), bat, "utf-8"); L341: cp.spawn("cmd.exe", ["/c", WIN_BAT_FILE(root)], { detached: true, stdio: "ignore" }).unref(); L342: return "startup";
High
Shell

Package source references shell execution.

out/cli.jsView on unpkg · L340
78await new Promise((r) => setTimeout(r, 1500)); L79: const health = await new Promise((resolve6) => { L80: const req = http.get(`http://127.0.0.1:${port}/health`, { timeout: 2e3 }, (res) => { ... L84: try { L85: resolve6(JSON.parse(data)); L86: } catch { ... L233: try { L234: cp.execSync(`launchctl unload "${plistPath}" 2>/dev/null`, { stdio: "pipe" }); L235: } catch { ... L340: fs.writeFileSync(WIN_BAT_FILE(root), bat, "utf-8"); L341: cp.spawn("cmd.exe", ["/c", WIN_BAT_FILE(root)], { detached: true, stdio: "ignore" }).unref(); L342: return "startup";
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

out/cli.jsView on unpkg · L78
78await new Promise((r) => setTimeout(r, 1500)); L79: const health = await new Promise((resolve6) => { L80: const req = http.get(`http://127.0.0.1:${port}/health`, { timeout: 2e3 }, (res) => { ... L84: try { L85: resolve6(JSON.parse(data)); L86: } catch { ... L233: try { L234: cp.execSync(`launchctl unload "${plistPath}" 2>/dev/null`, { stdio: "pipe" }); L235: } catch { ... L340: fs.writeFileSync(WIN_BAT_FILE(root), bat, "utf-8"); L341: cp.spawn("cmd.exe", ["/c", WIN_BAT_FILE(root)], { detached: true, stdio: "ignore" }).unref(); L342: return "startup";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

out/cli.jsView on unpkg · L78
out/daemon.jsView file
6889try { L6890: return (0, import_child_process.execSync)(cmd, { L6891: cwd,
High
Child Process

Package source references child process execution.

out/daemon.jsView on unpkg · L6889
5619const data = isString ? content : JSON.stringify(content, null, 2); L5620: fs.writeFileSync(filePath, data, "utf-8"); L5621: } catch { ... L6889: try { L6890: return (0, import_child_process.execSync)(cmd, { L6891: cwd, ... L14068: * L14069: * This can be used by clients to improve the LLM's understanding of available tools, resources, etc. It can be thought of like a "hint" to the model. For example, this information ... L14070: */ ... L28616: configure(cfg) { L28617: if (!cfg.supabaseUrl || !cfg.supabaseAnonKey || !cfg.workspaceId) { L28618: this.enabled = false;
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

out/daemon.jsView on unpkg · L5619
241Cross-file remote execution chain: out/daemon.js spawns out/cli.js; helper contains network access plus dynamic code execution. L241: var path27 = require("path"); L242: var win32 = process.platform === "win32"; L243: var { ... L370: const eos = () => index >= length; L371: const peek = () => str.charCodeAt(index + 1); L372: const advance = () => { ... L803: type: pattern[0], L804: body: pattern.slice(2, i), L805: end: i ... L4286: } catch (error2) { L4287: if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) L4288: console.error(error2);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

out/daemon.jsView on unpkg · L241
241var path27 = require("path"); L242: var win32 = process.platform === "win32"; L243: var { ... L370: const eos = () => index >= length; L371: const peek = () => str.charCodeAt(index + 1); L372: const advance = () => { ... L803: type: pattern[0], L804: body: pattern.slice(2, i), L805: end: i ... L4286: } catch (error2) { L4287: if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) L4288: console.error(error2);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

out/daemon.jsView on unpkg · L241
34118site.name = fn.name; L34119: var deprecatedfn = new Function( L34120: "fn",
Low
Eval

Package source references a known benign dynamic code generation pattern.

out/daemon.jsView on unpkg · L34118
241var path27 = require("path"); L242: var win32 = process.platform === "win32"; L243: var { ... L370: const eos = () => index >= length; L371: const peek = () => str.charCodeAt(index + 1); L372: const advance = () => { ... L803: type: pattern[0], L804: body: pattern.slice(2, i), L805: end: i ... L4286: } catch (error2) { L4287: if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) L4288: console.error(error2);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

out/daemon.jsView on unpkg · L241

Findings

3 Critical6 High4 Medium7 Low
CriticalCritical Secretout/cli.js
CriticalPrevious Version Dangerous Deltaout/cli.js
CriticalSecret Patternout/cli.js
HighChild Processout/daemon.js
HighShellout/cli.js
HighHost Fingerprint Exfiltrationout/cli.js
HighSandbox Evasion Gated Capabilityout/cli.js
HighRemote Agent Bridgeout/daemon.js
HighCross File Remote Execution Contextout/daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceout/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalout/daemon.js
LowWeak Cryptoout/daemon.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings