registry  /  @mrpatronz/nexusflow  /  1.3.3

@mrpatronz/nexusflow@1.3.3

Combine multiple repos into a workspace with rich AI assistant context

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a developer workflow CLI/dashboard with explicit user-invoked AI context generation, MCP setup, local transcript display, and update/install helpers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs nexusflow commands or opens the local dashboard; no install-time trigger.
Impact
Can modify NexusFlow/workspace/AI config files and run local tools when explicitly requested; no evidence of unconsented exfiltration or malware behavior.
Mechanism
package-aligned local developer automation
Rationale
Static source inspection found sensitive primitives, but they are tied to the package's documented local workspace/dashboard features and are user-invoked rather than lifecycle-driven. No concrete malicious chain, credential harvesting with exfiltration, remote code payload, or unconsented broad AI-agent control-surface mutation was present.
Evidence
package.jsondist/index.jsdist/server.jsdist/commands/mcp.jsdist/generators/codex.jsdist/generators/claude.jsdist/generators/cursor.jsdist/utils/session-finder.jsdist/utils/update-check.js~/.nexusflow/config.json~/.cursor/mcp.jsonVS Code User/mcp.jsonClaude/claude_desktop_config.jsonworkspace/AGENTS.mdworkspace/CLAUDE.mdworkspace/.cursor/rules/nexusflow.mdc
Network endpoints3
api.github.com/repos/antan87/NexusFlow/releases/latestregistry.npmjs.org/${t.npmPackage}/latestuser-configured local LLM endpoints

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/commands/mcp.js explicit `mcp setup` writes NexusFlow MCP config into Cursor/VS Code/Claude config files.
  • dist/server.js local API can run update/install commands and spawn editors or assistant CLIs after dashboard/API actions.
  • dist/utils/session-finder.js reads local assistant session transcripts for Antigravity, Claude, Codex, and Copilot.
Evidence against
  • package.json has only prepublishOnly build script; no preinstall/install/postinstall execution.
  • dist/index.js only registers CLI commands, loads user-configured plugins, and performs a GitHub update check after command actions.
  • dist/server.js binds dashboard server to 127.0.0.1 and restricts CORS to localhost origins.
  • dist/server.js update download is restricted to GitHub/GitHubusercontent HTTPS hosts before installer execution.
  • AI-agent config/context writes are package-aligned and triggered by explicit CLI/dashboard workspace actions, not install-time mutation.
  • No credential exfiltration, remote payload execution, stealth persistence, or destructive install-time behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 100 file(s), 1.03 MB of source, external domains: 127.0.0.1, api.github.com, evil.example.com, github.com, malicious-external-domain.com, objects.githubusercontent.com, react.dev, reactrouter.com, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mrpatronz/nexusflow@1.5.0 matchedIdentity = npm:QG1ycGF0cm9uei9uZXh1c2Zsb3c:1.5.0 similarity = 0.804 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg
16import { pipeline } from 'node:stream/promises'; L17: import { spawn } from 'node:child_process'; L18: import { loadConfig, saveConfig, getConfigDir } from './core/config.js';
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L16
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/core/analysis-cache.jsView file
11import * as path from 'node:path'; L12: import { execa } from 'execa'; L13: /** Name of the analysis cache file, written at the workspace root. */ ... L29: const raw = await fs.readFile(getAnalysisCachePath(workspacePath), 'utf-8'); L30: const cache = JSON.parse(raw); L31: if (!cache.repos || typeof cache.repos !== 'object') { ... L80: try { L81: const { stdout: shaOut } = await execa('git', ['rev-parse', 'HEAD'], { L82: cwd: repoPath,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/analysis-cache.jsView on unpkg · L11
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/server.js
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/analysis-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings