[lxgr]

This definitely seems useful, but it's arguably not an HSM. It's literally downloadable software! (You wouldn't download an HSM.)

HSMs of course also run software, but they usually provide at least some level of hardening against physical attacks. In other words, it shouldn't be possible to just extract key from them. Is that the case here?

I think it would be more honest to call this a (possibly hardened) key server/service. Often, that's all people want from an HSM! But sometimes it isn't (whether for compliance or other reasons).