registry  /  @mrpatronz/nexusflow  /  1.6.0

@mrpatronz/nexusflow@1.6.0

Combine multiple repos into a workspace with rich AI assistant context

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 121 file(s), 1.17 MB of source, external domains: 127.0.0.1, api.github.com, dev.azure.com, evil.example.com, git.internal.corp, github.com, gitlab.com, malicious-external-domain.com, objects.githubusercontent.com, react.dev, reactrouter.com, registry.npmjs.org, unsafe-domain.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/core/worktree.test.jsView file
2import { execa } from 'execa'; L3: import { execSync } from 'node:child_process'; L4: import * as fs from 'node:fs/promises';
High
Child Process

Package source references child process execution.

dist/core/worktree.test.jsView on unpkg · L2
dist/core/graph.jsView file
2import * as path from 'node:path'; L3: import { execa } from 'execa'; L4: /**
High
Shell

Package source references shell execution.

dist/core/graph.jsView on unpkg · L2
dist/core/plugins/loader.jsView file
19const fileUrl = resolvedPath.startsWith('file://') ? resolvedPath : `file:///${resolvedPath.replace(/\\/g, '/')}`; L20: const module = await import(fileUrl); L21: const plugin = module.default || module.plugin;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins/loader.jsView on unpkg · L19
dist/core/analysis-cache.jsView file
11import * as path from 'node:path'; L12: import { execa } from 'execa'; L13: /** Name of the analysis cache file, written at the workspace root. */ ... L29: const raw = await fs.readFile(getAnalysisCachePath(workspacePath), 'utf-8'); L30: const cache = JSON.parse(raw); L31: if (!cache.repos || typeof cache.repos !== 'object') { ... L80: try { L81: const { stdout: shaOut } = await execa('git', ['rev-parse', 'HEAD'], { L82: cwd: repoPath,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/analysis-cache.jsView on unpkg · L11
dist/utils/update-check.jsView file
10/** L11: * Resolves the current package version by searching for package.json upward L12: * from the directory of the executing code. ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: let currentDir = __dirname; ... L21: if (fs.existsSync(packageJsonPath)) { L22: const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8')); L23: return pkg.version; ... L59: try { L60: const response = await fetch('https://api.github.[redacted]', { L61: headers: { 'User-Agent': 'NexusFlow-Updater' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/update-check.jsView on unpkg · L10
130const msg = `Update available: ${chalk.red(status.currentVersion)} → ${chalk.green(status.latestVersion)}`; L131: const runMsg = `Run ${chalk.cyan('npm install -g @mrpatronz/nexusflow')} to update!`; L132: const cleanMsg = `Update available: ${status.currentVersion} → ${status.latestVersion}`; ... L144: } L145: import { execa } from 'execa'; L146: export async function getToolsStatus(force = false) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/update-check.jsView on unpkg · L130

Findings

4 High4 Medium6 Low
HighChild Processdist/core/worktree.test.js
HighShelldist/core/graph.js
HighSandbox Evasion Gated Capabilitydist/utils/update-check.js
HighRuntime Package Installdist/utils/update-check.js
MediumDynamic Requiredist/core/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/analysis-cache.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings