registry  /  @mrpatronz/nexusflow  /  0.2.18

@mrpatronz/nexusflow@0.2.18

Combine multiple repos into a workspace with rich AI assistant context

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 190 file(s), 1.74 MB of source, external domains: 127.0.0.1, api.github.com, github.com, malicious-external-domain.com, nodejs.org, react.dev, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

5 flagged · loading source
extension/src/extension.tsView file
2import * as http from 'http'; L3: import * as child_process from 'child_process'; L4: import * as path from 'path';
High
Child Process

Package source references child process execution.

extension/src/extension.tsView on unpkg · L2
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130

Findings

4 High4 Medium5 Low
HighChild Processextension/src/extension.ts
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings