registry  /  @mrpatronz/nexusflow  /  1.3.0

@mrpatronz/nexusflow@1.3.0

Combine multiple repos into a workspace with rich AI assistant context

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI workspace/CLI tool with explicit commands that generate workspace context files, configure MCP, run git/PM2/editor commands, and check for updates.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs nexusflow CLI commands such as create, ui, mcp setup, sync, start, or commit
Impact
Can modify selected workspace files and, with explicit setup, AI assistant MCP configs; no unconsented install-time hijack found.
Mechanism
User-invoked developer workflow automation and AI context generation
Rationale
Static inspection shows broad AI-agent and shell capabilities, but they are aligned with the advertised NexusFlow CLI and are activated by explicit user commands rather than npm lifecycle hooks. The global MCP configuration path is sensitive, but the code only changes it during the named setup command, so it does not meet the unconsented lifecycle hijack boundary.
Evidence
package.jsondist/index.jsdist/commands/mcp.jsdist/core/workspace.jsdist/generators/base.jsdist/generators/claude.jsdist/generators/codex.jsdist/generators/cursor.jsdist/utils/update-check.jsdist/core/plugins/loader.js~/.cursor/mcp.json~/Library/Application Support/Code/User/mcp.json~/Library/Application Support/Code - Insiders/User/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json<workspace>/.cursor/mcp.json<workspace>/CLAUDE.md<workspace>/AGENTS.md<workspace>/.github/copilot-instructions.md<workspace>/.cursor/rules/nexusflow.mdc<workspace>/nexusflow.json<workspace>/.nexusflow-logs/*.log
Network endpoints4
api.github.com/repos/antan87/NexusFlow/releases/latestregistry.npmjs.org/${t.npmPackage}/latestlocalhost:11434/api/tags/v1/models

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/mcp.js user-invoked setup writes MCP config for Cursor, VS Code, and Claude Desktop
  • dist/core/workspace.js creates workspace-local .cursor/mcp.json and AI context files during workspace creation
  • dist/utils/update-check.js contacts GitHub releases and npm registry after CLI actions
  • dist/core/plugins/loader.js dynamically imports user-configured plugin paths
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly build is publisher-side
  • dist/index.js only registers CLI commands and update check postAction, not install-time mutation
  • AI files CLAUDE.md, AGENTS.md, Cursor and Copilot rules are generated in explicit NexusFlow workspaces
  • MCP global config mutation is behind explicit nexusflow mcp setup command, not automatic lifecycle execution
  • No credential harvesting or exfiltration endpoints found; local LLM endpoints are user-configured and validated
  • Shell/child process use is package-aligned for git, editors, PM2, browser opening, and tool version checks
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 96 file(s), 1.00 MB of source, external domains: 127.0.0.1, api.github.com, github.com, malicious-external-domain.com, react.dev, reactrouter.com, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mrpatronz/nexusflow@0.2.19 matchedIdentity = npm:QG1ycGF0cm9uei9uZXh1c2Zsb3c:0.2.19 similarity = 0.548 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg
16import { pipeline } from 'node:stream/promises'; L17: import { spawn } from 'node:child_process'; L18: import { loadConfig, saveConfig, getConfigDir } from './core/config.js';
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L16
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/core/analysis-cache.jsView file
11import * as path from 'node:path'; L12: import { execa } from 'execa'; L13: /** Name of the analysis cache file, written at the workspace root. */ ... L29: const raw = await fs.readFile(getAnalysisCachePath(workspacePath), 'utf-8'); L30: const cache = JSON.parse(raw); L31: if (!cache.repos || typeof cache.repos !== 'object') { ... L80: try { L81: const { stdout: shaOut } = await execa('git', ['rev-parse', 'HEAD'], { L82: cwd: repoPath,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/analysis-cache.jsView on unpkg · L11
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/server.js
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/analysis-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings