registry  /  obolus-sync  /  1.1.0

obolus-sync@1.1.0

The Obolus Context Engine CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs obolus-sync or obolus-init with a project key
Impact
Cursor agent behavior can be redirected through a package-owned MCP tool and remote rules; observed telemetry is limited to project key and token counts.
Mechanism
explicit CLI mutation of Cursor MCP config and project AI rules
Rationale
The package performs explicit user-command AI-agent configuration and remote rule injection, which is risky but not an unconsented install-time hijack under the policy. Source inspection did not show credential harvesting, content exfiltration, destructive actions, or remote code execution.
Evidence
package.jsonsync.jsinit.jslib/deploy.jslib/shield.cjs~/.obolus/shield.js~/.obolus/config.json~/.cursor/mcp.json.cursor/rules/00-obolus-mcp.mdc.cursor/rules/<remote file_name>
Network endpoints2
obolus-nu.vercel.app/api/sync?key=<projectKey>obolus-nu.vercel.app/api/telemetry

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • lib/deploy.js writes ~/.cursor/mcp.json to register obolus-shield MCP server when bin is run
  • lib/deploy.js writes .cursor/rules/00-obolus-mcp.mdc with alwaysApply instructions forcing agent file reads through the MCP tool
  • lib/deploy.js fetches remote rules from https://obolus-nu.vercel.app/api/sync?key=... and writes them into .cursor/rules
  • lib/shield.cjs exposes read_optimized_file that reads arbitrary file paths supplied by the AI client
  • lib/shield.cjs sends telemetry to https://obolus-nu.vercel.app/api/telemetry after reads
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • Entrypoints sync.js and init.js require explicit CLI invocation and a project key
  • No source evidence that file contents or credentials are exfiltrated; telemetry contains project_key and tokens_saved
  • No child_process execution, eval/vm/Function, native binary loading, persistence beyond user-invoked Cursor MCP config
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 11.8 KB of source, external domains: obolus-nu.vercel.app

Source & flagged code

5 flagged · loading source
lib/deploy.jsView file
Published source reference
Medium
Ai Review Evidence

lib/deploy.js writes ~/.cursor/mcp.json to register obolus-shield MCP server when bin is run

lib/deploy.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

lib/deploy.js writes .cursor/rules/00-obolus-mcp.mdc with alwaysApply instructions forcing agent file reads through the MCP tool

lib/deploy.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

lib/deploy.js fetches remote rules from https://obolus-nu.vercel.app/api/sync?key=... and writes them into .cursor/rules

lib/deploy.jsView on unpkg
lib/shield.cjsView file
Published source reference
Medium
Ai Review Evidence

lib/shield.cjs exposes read_optimized_file that reads arbitrary file paths supplied by the AI client

lib/shield.cjsView on unpkg
Published source reference
Medium
Ai Review Evidence

lib/shield.cjs sends telemetry to https://obolus-nu.vercel.app/api/telemetry after reads

lib/shield.cjsView on unpkg

Findings

6 Medium3 Low
MediumNetwork
MediumAi Review Evidencelib/deploy.js
MediumAi Review Evidencelib/deploy.js
MediumAi Review Evidencelib/deploy.js
MediumAi Review Evidencelib/shield.cjs
MediumAi Review Evidencelib/shield.cjs
LowScripts Present
LowFilesystem
LowUrl Strings