registry  /  transitions-refine  /  0.3.29

transitions-refine@0.3.29

Live, agent-driven Refine panel for CSS/Motion transitions — injects a timeline + Refine UI and runs transitions.dev suggestions via your coding agent.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit local transition-refinement tool that injects a localhost panel, installs first-party agent skills into the project, and may spawn a configured coding-agent CLI per job. This is a real agent-extension lifecycle risk, but source inspection did not show unconsented install-time mutation or malicious exfiltration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs npx transitions-refine live, stop, --llm, or starts the relay with REFINE_AGENT_CMD.
Impact
Can modify project HTML/.agents files and, on apply jobs, delegate source edits to the user's configured agent CLI.
Mechanism
explicit project HTML injection, package-owned skill drop, optional Cursor CLI installer, and local agent CLI spawning
Rationale
Source shows a package-aligned local dev tool with explicit agent-control and file-editing capabilities, but no npm lifecycle hook, stealth persistence, credential exfiltration, or unconsented broad AI-agent control-surface mutation. Per policy, first-party package-owned agent extension setup and explicit user-command agent mutation should warn rather than block.
Evidence
package.jsonbin/cli.mjsserver/agent-resolve.mjsserver/relay.mjsserver/refine-agent.mjs.agents/skills/refine-live/SKILL.mdserver/inject.mjsindex.htmlpublic/index.htmlsrc/index.htmlapp/index.htmldist/index.html.agents/skills/refine-live.agents/skills/transitions-dev.refine-relay.json.refine-relay.log
Network endpoints7
localhost:7331127.0.0.1:<port>cursor.com/installcursor.com/install?win32=trueesm.sh/react@19esm.sh/react-dom@19esm.sh/border-beam@1.2.0?deps=react@19,react-dom@19

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.mjs live command writes an injected localhost script tag into a discovered or --page HTML file.
  • bin/cli.mjs drops package-owned .agents/skills/refine-live and .agents/skills/transitions-dev into the current project.
  • bin/cli.mjs --llm can run curl|bash or PowerShell irm|iex installer from cursor.com.
  • server/relay.mjs spawns REFINE_AGENT_CMD via sh -c for LLM jobs, and agent-resolve.mjs adds permissive flags for Cursor/Claude/Codex CLIs.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Risky behavior is behind explicit CLI commands such as live, stop, --llm, or user-configured REFINE_AGENT_CMD, not install-time import execution.
  • Network use is local relay/panel plumbing plus documented package-aligned CDNs/installer URLs.
  • No credential harvesting, broad file enumeration, persistence outside project .refine files, or remote payload execution beyond explicit Cursor CLI install was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 133 KB of source, external domains: cursor.com, esm.sh

Source & flagged code

6 flagged · loading source
bin/cli.mjsView file
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/cli.mjsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> bin/cli.mjs L20: L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L20
134? spawnSync( L135: "powershell", L136: ["-NoProfile", "-Command", "irm 'https://cursor.com/install?win32=true' | iex"],
High
Shell

Package source references shell execution.

bin/cli.mjsView on unpkg · L134
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/cli.mjsView on unpkg · L20

Findings

3 Critical3 High3 Medium4 Low
CriticalSame File Env Network Executionbin/cli.mjs
CriticalDownload Executebin/cli.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/cli.mjs
HighChild Processbin/cli.mjs
HighShellbin/cli.mjs
HighSandbox Evasion Gated Capabilitybin/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings