AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package has real agent-control and source-editing capability, but it is exposed as an explicit refinement tool rather than install-time malware. Risk is from user-invoked setup of local agent skills, relay orchestration, and headless agent spawning.
Decision evidence
public snapshot- bin/cli.mjs user-invoked live command injects a localhost script tag into an HTML page and writes .agents/skills/refine-live plus transitions-dev.
- bin/cli.mjs --llm can run Cursor's installer via PowerShell irm|iex or curl|bash when no agent CLI is found.
- server/relay.mjs spawns REFINE_AGENT_CMD through sh -c for scan/refine/apply jobs.
- server/agent-resolve.mjs builds headless agent commands including claude --dangerously-skip-permissions and codex exec --sandbox workspace-write.
- server/relay.mjs apply jobs prompt the agent to edit user source files.
- package.json has no preinstall/install/postinstall lifecycle hooks; prepack is publish-time only.
- CLI side effects require explicit user command such as refine live; no import-time execution was found.
- Cursor installer runs only with explicit --llm and only after resolver reports an installable missing CLI.
- Network use is local relay traffic plus documented CDN/demo assets and Cursor installer; no credential exfiltration endpoint was found.
- Bundled .agents skills are first-party package-owned instructions aligned with the refine feature.
- No destructive behavior, stealth persistence, credential harvesting, or hidden payload loading was identified.
Source & flagged code
6 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/cli.mjsView on unpkg · L20Source downloads or fetches remote code and executes it.
bin/cli.mjsView on unpkg · L20A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/cli.mjsView on unpkg · L20Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/cli.mjsView on unpkg · L20