registry  /  transitions-refine  /  0.3.33

transitions-refine@0.3.33

Live, agent-driven Refine panel for CSS/Motion transitions — injects a timeline + Refine UI and runs transitions.dev suggestions via your coding agent.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit local developer tool that injects a browser panel, drops its own agent skills, starts a local relay, and may spawn the user's coding-agent CLI. This is high-trust agent orchestration, but source inspection did not confirm malicious install-time or covert behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `refine live`/`stop`, passes `--llm`, configures `REFINE_AGENT_CMD`, or uses panel scan/apply/refine jobs.
Impact
Can modify project HTML, copy .agents skills, start/stop a local relay, and cause a configured agent to read or edit project source on user panel actions.
Mechanism
Explicit local relay plus package-owned agent skill setup and user-agent CLI spawning.
Rationale
Source inspection shows real high-trust AI-agent orchestration and project mutation, but no unconsented install-time behavior, covert exfiltration, destructive action, or malicious payload. Treat as a warning-class agent extension lifecycle risk rather than a publish block.
Evidence
package.jsonbin/cli.mjsserver/relay.mjsserver/agent-resolve.mjsserver/inject.mjsserver/live-refine-loop.mjs.agents/skills/refine-live/SKILL.md.agents/skills/transitions-dev/SKILL.mdREADME.mdindex.htmlpublic/index.htmlsrc/index.htmlapp/index.htmldist/index.html.agents/skills/refine-live.agents/skills/transitions-dev.refine-relay.json.refine-relay.log.refine-live.log
Network endpoints7
cursor.com/installcursor.com/install?win32=truelocalhost:7331127.0.0.1:<port>esm.sh/react@19esm.sh/react-dom@19esm.sh/border-beam@1.2.0?deps=react@19,react-dom@19

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.mjs live writes a script tag into project HTML and copies package-owned .agents/skills into the project.
  • bin/cli.mjs --llm can run curl|bash or PowerShell iex installer for cursor.com/install.
  • server/relay.mjs spawns REFINE_AGENT_CMD via sh -c for LLM, scan, and apply jobs.
  • server/agent-resolve.mjs builds high-trust agent commands: cursor-agent --force, claude --dangerously-skip-permissions, codex workspace-write.
  • server/relay.mjs apply prompts ask the agent to edit user source files after an apply job.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Dangerous behavior is behind explicit user commands such as refine live, --llm, browser panel jobs, or REFINE_AGENT_CMD.
  • Network endpoints are local relay/browser UI plus documented cursor/esm.sh UI dependencies, not covert exfiltration.
  • No credential harvesting, secret file enumeration, destructive payload, persistence beyond project relay files, or remote code execution at install time found.
  • README documents agent spawning, source edits on Accept, skill drops, and Cursor CLI install behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 137 KB of source, external domains: cursor.com, esm.sh

Source & flagged code

7 flagged · loading source
bin/cli.mjsView file
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/cli.mjsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> bin/cli.mjs L20: L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/cli.mjsView on unpkg · L20
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L20
134? spawnSync( L135: "powershell", L136: ["-NoProfile", "-Command", "irm 'https://cursor.com/install?win32=true' | iex"],
High
Shell

Package source references shell execution.

bin/cli.mjsView on unpkg · L134
20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync, realpathSync, openSync, rmSync } from "node:fs"; ... L25: import { homedir } from "node:os"; L26: import { get as httpGet, request as httpRequest } from "node:http"; L27: import { AGENTS, findBin, resolveAgentCmd } from "../server/agent-resolve.mjs"; ... L29: const PKG_ROOT = fileURLToPath(new URL("..", import.meta.url)); L30: const CWD = process.cwd(); L31: const HOME = process.env.HOME || homedir(); L32: const PKG_VERSION = (() => { L33: try { L34: return JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf8")).version || "0";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/cli.mjsView on unpkg · L20
server/relay.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = transitions-refine@0.3.29 matchedIdentity = npm:dHJhbnNpdGlvbnMtcmVmaW5l:0.3.29 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/relay.mjsView on unpkg

Findings

4 Critical3 High3 Medium4 Low
CriticalSame File Env Network Executionbin/cli.mjs
CriticalDownload Executebin/cli.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/cli.mjs
CriticalPrevious Version Dangerous Deltaserver/relay.mjs
HighChild Processbin/cli.mjs
HighShellbin/cli.mjs
HighSandbox Evasion Gated Capabilitybin/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings