AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit local developer tool that injects a browser panel, drops its own agent skills, starts a local relay, and may spawn the user's coding-agent CLI. This is high-trust agent orchestration, but source inspection did not confirm malicious install-time or covert behavior.
Decision evidence
public snapshot- bin/cli.mjs live writes a script tag into project HTML and copies package-owned .agents/skills into the project.
- bin/cli.mjs --llm can run curl|bash or PowerShell iex installer for cursor.com/install.
- server/relay.mjs spawns REFINE_AGENT_CMD via sh -c for LLM, scan, and apply jobs.
- server/agent-resolve.mjs builds high-trust agent commands: cursor-agent --force, claude --dangerously-skip-permissions, codex workspace-write.
- server/relay.mjs apply prompts ask the agent to edit user source files after an apply job.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Dangerous behavior is behind explicit user commands such as refine live, --llm, browser panel jobs, or REFINE_AGENT_CMD.
- Network endpoints are local relay/browser UI plus documented cursor/esm.sh UI dependencies, not covert exfiltration.
- No credential harvesting, secret file enumeration, destructive payload, persistence beyond project relay files, or remote code execution at install time found.
- README documents agent spawning, source edits on Accept, skill drops, and Cursor CLI install behavior.
Source & flagged code
7 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/cli.mjsView on unpkg · L20Source downloads or fetches remote code and executes it.
bin/cli.mjsView on unpkg · L20A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/cli.mjsView on unpkg · L20Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/cli.mjsView on unpkg · L20This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server/relay.mjsView on unpkg