registry  /  @mrpatronz/nexusflow  /  1.5.0

@mrpatronz/nexusflow@1.5.0

Combine multiple repos into a workspace with rich AI assistant context

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI workspace tool with user-invoked agent/MCP integration and local development automation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI/UI commands such as create, mcp setup, ui update, or agent MCP tool calls
Impact
Can modify workspace context files and, when explicitly requested, register MCP configs or run git/update commands; no unconsented lifecycle mutation or exfiltration found.
Mechanism
User-invoked workspace generation, MCP registration, git automation, and update checks
Rationale
Static inspection shows dangerous primitives are tied to the package's documented workspace/AI-assistant functionality and are activated by explicit user commands or local GUI/MCP actions. There is no install-time execution, credential harvesting, remote payload loading, persistence, or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/commands/create.jsdist/commands/mcp.jsdist/core/workspace.jsdist/generators/skills-generator.jsdist/mcp/tools.jsdist/server.jsdist/utils/update-check.js~/.nexusflow/config.json<workspace>/CLAUDE.md<workspace>/AGENTS.md<workspace>/.cursor/mcp.json<workspace>/.cursor/rules/nexusflow.mdc<workspace>/.claude/skills/*/SKILL.md<workspace>/.codex/skills/*/SKILL.md
Network endpoints3
api.github.com/repos/antan87/NexusFlow/releases/latestregistry.npmjs.org/${t.npmPackage}/latestlocalhost:11434

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/mcp.js can user-invoked write NexusFlow MCP entries into Cursor/VS Code/Claude configs
  • dist/core/workspace.js creates workspace-local .cursor/mcp.json using npx -y @mrpatronz/nexusflow mcp run
  • dist/generators/skills-generator.js writes assistant skill/rule files under the created workspace
  • dist/server.js exposes local GUI routes that can install/update known tools when invoked
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly build
  • AI/MCP files are generated by explicit CLI/UI workspace actions, not lifecycle/import-time execution
  • MCP and assistant artifacts are package-aligned and workspace-scoped except explicit mcp setup command
  • No credential harvesting or secret exfiltration found in inspected source
  • Network use is update/local-LLM/package-registry aligned: GitHub releases, npm registry, localhost/private endpoints
  • Dynamic import is plugin loading from configured user paths, not remote code loading
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 120 file(s), 1.15 MB of source, external domains: 127.0.0.1, api.github.com, dev.azure.com, evil.example.com, git.internal.corp, github.com, gitlab.com, malicious-external-domain.com, objects.githubusercontent.com, react.dev, reactrouter.com, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/core/worktree.test.jsView file
2import { execa } from 'execa'; L3: import { execSync } from 'node:child_process'; L4: import * as fs from 'node:fs/promises';
High
Child Process

Package source references child process execution.

dist/core/worktree.test.jsView on unpkg · L2
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/core/analysis-cache.jsView file
11import * as path from 'node:path'; L12: import { execa } from 'execa'; L13: /** Name of the analysis cache file, written at the workspace root. */ ... L29: const raw = await fs.readFile(getAnalysisCachePath(workspacePath), 'utf-8'); L30: const cache = JSON.parse(raw); L31: if (!cache.repos || typeof cache.repos !== 'object') { ... L80: try { L81: const { stdout: shaOut } = await execa('git', ['rev-parse', 'HEAD'], { L82: cwd: repoPath,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/analysis-cache.jsView on unpkg · L11
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mrpatronz/nexusflow@1.3.1 matchedIdentity = npm:QG1ycGF0cm9uei9uZXh1c2Zsb3c:1.3.1 similarity = 0.804 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/core/worktree.test.js
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/analysis-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings