registry  /  transitions-refine  /  0.3.34

transitions-refine@0.3.34

Live, agent-driven Refine panel for CSS/Motion transitions — injects a timeline + Refine UI and runs transitions.dev suggestions via your coding agent.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has real agent-control and source-editing capability, but it is exposed as an explicit refinement tool rather than install-time malware. Risk is from user-invoked setup of local agent skills, relay orchestration, and headless agent spawning.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the refine CLI, especially refine live, refine live --llm, or starts the relay with REFINE_AGENT_CMD.
Impact
Can modify project HTML, drop first-party .agents skills, start a local relay, and ask configured agent CLIs to inspect or edit project source.
Mechanism
explicit user-command agent extension setup and local relay spawning agent CLIs
Rationale
Static inspection confirms dangerous primitives, but they are user-invoked and package-aligned with a live CSS transition refinement tool, with no npm lifecycle execution or evidence of exfiltration/destructive behavior. Because it installs first-party agent skills and can spawn powerful coding-agent CLIs to edit source, warn rather than block.
Evidence
package.jsonbin/cli.mjsserver/relay.mjsserver/agent-resolve.mjsserver/live-refine-loop.mjs.agents/skills/refine-live/SKILL.md.agents/skills/transitions-dev/SKILL.mdindex.htmlpublic/index.htmlsrc/index.htmlapp/index.htmldist/index.html.agents/skills/refine-live.agents/skills/transitions-dev.refine-relay.json.refine-relay.log.refine-live.loguser source files selected by apply jobs
Network endpoints10
cursor.com/install?win32=truecursor.com/installlocalhost:<port>/inject.js127.0.0.1:<port>/health127.0.0.1:<port>/show127.0.0.1:<port>/hideesm.sh/react@19esm.sh/react-dom@19esm.sh/react-dom@19/clientesm.sh/border-beam@1.2.0?deps=react@19,react-dom@19

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.mjs user-invoked live command injects a localhost script tag into an HTML page and writes .agents/skills/refine-live plus transitions-dev.
  • bin/cli.mjs --llm can run Cursor's installer via PowerShell irm|iex or curl|bash when no agent CLI is found.
  • server/relay.mjs spawns REFINE_AGENT_CMD through sh -c for scan/refine/apply jobs.
  • server/agent-resolve.mjs builds headless agent commands including claude --dangerously-skip-permissions and codex exec --sandbox workspace-write.
  • server/relay.mjs apply jobs prompt the agent to edit user source files.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; prepack is publish-time only.
  • CLI side effects require explicit user command such as refine live; no import-time execution was found.
  • Cursor installer runs only with explicit --llm and only after resolver reports an installable missing CLI.
  • Network use is local relay traffic plus documented CDN/demo assets and Cursor installer; no credential exfiltration endpoint was found.
  • Bundled .agents skills are first-party package-owned instructions aligned with the refine feature.
  • No destructive behavior, stealth persistence, credential harvesting, or hidden payload loading was identified.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 137 KB of source, external domains: cursor.com, esm.sh

Source & flagged code

6 flagged · loading source
bin/cli.mjsView file
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/cli.mjsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> bin/cli.mjs L20: L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L20
134? spawnSync( L135: "powershell", L136: ["-NoProfile", "-Command", "irm 'https://cursor.com/install?win32=true' | iex"],
High
Shell

Package source references shell execution.

bin/cli.mjsView on unpkg · L134
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/cli.mjsView on unpkg · L20

Findings

3 Critical3 High3 Medium4 Low
CriticalSame File Env Network Executionbin/cli.mjs
CriticalDownload Executebin/cli.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/cli.mjs
HighChild Processbin/cli.mjs
HighShellbin/cli.mjs
HighSandbox Evasion Gated Capabilitybin/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
transitions-refine: Suspicious npm security report (Warn) | LPM Firewall