registry  /  @mrpatronz/nexusflow  /  1.3.1

@mrpatronz/nexusflow@1.3.1

Combine multiple repos into a workspace with rich AI assistant context

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface: risky primitives are user-invoked developer-tool features for creating multi-repo AI workspaces and optional MCP setup. There is no install-time or import-time mutation of foreign AI-agent control surfaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs NexusFlow CLI commands such as `create`, `ui`, `mcp setup`, or starts the local GUI/MCP server.
Impact
Can create workspace context files, register a NexusFlow MCP server, run local git/editor/service commands, or query configured local/registry endpoints as part of documented workflow.
Mechanism
User-invoked workspace generation, local server orchestration, optional MCP registration, and configured plugin loading.
Rationale
Static inspection shows a developer workspace/AI-context tool with explicit CLI-triggered AI config generation and MCP setup, not install-time hijacking, exfiltration, persistence, or remote code execution. The scanner’s dangerous primitives are package-aligned and mostly guarded by user actions or local configuration.
Evidence
package.jsondist/index.jsdist/server.jsdist/core/workspace.jsdist/commands/mcp.jsdist/generators/index.jsdist/generators/skills-generator.jsdist/utils/update-check.jsdist/core/plugins/loader.js~/.nexusflow/config.json<workspace>/AGENTS.md<workspace>/CLAUDE.md<workspace>/.cursor/mcp.json<workspace>/.claude/skills/*/SKILL.md<workspace>/.codex/skills/*/SKILL.md~/.cursor/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json
Network endpoints2
api.github.com/repos/antan87/NexusFlow/releases/latestregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/mcp.js can update user AI MCP configs, but only via explicit `nexusflow mcp setup`.
  • dist/core/plugins/loader.js dynamically imports configured plugin paths at CLI runtime.
  • dist/server.js exposes local GUI routes that can spawn allowed editors/services and delete workspaces.
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly build.
  • dist/index.js only registers CLI commands and skips update checks for MCP stdio mode.
  • dist/core/workspace.js writes `.cursor/mcp.json`, `AGENTS.md`, `CLAUDE.md`, and skills inside NexusFlow workspaces, aligned with package purpose.
  • dist/commands/mcp.js writes known MCP config paths only when the setup command is invoked, not during install/import.
  • dist/utils/update-check.js fetches GitHub/npm version metadata and prints install instructions; it does not execute npm install.
  • dist/server.js restricts CORS to localhost and validates editor command names/path containment for sensitive routes.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 100 file(s), 1.03 MB of source, external domains: 127.0.0.1, api.github.com, evil.example.com, github.com, malicious-external-domain.com, objects.githubusercontent.com, react.dev, reactrouter.com, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mrpatronz/nexusflow@1.3.0 matchedIdentity = npm:QG1ycGF0cm9uei9uZXh1c2Zsb3c:1.3.0 similarity = 0.763 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg
16import { pipeline } from 'node:stream/promises'; L17: import { spawn } from 'node:child_process'; L18: import { loadConfig, saveConfig, getConfigDir } from './core/config.js';
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L16
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/core/analysis-cache.jsView file
11import * as path from 'node:path'; L12: import { execa } from 'execa'; L13: /** Name of the analysis cache file, written at the workspace root. */ ... L29: const raw = await fs.readFile(getAnalysisCachePath(workspacePath), 'utf-8'); L30: const cache = JSON.parse(raw); L31: if (!cache.repos || typeof cache.repos !== 'object') { ... L80: try { L81: const { stdout: shaOut } = await execa('git', ['rev-parse', 'HEAD'], { L82: cwd: repoPath,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/analysis-cache.jsView on unpkg · L11
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/server.js
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/analysis-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings