AI Security Review
scanned 41m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a NanoForge CLI whose network, filesystem, and child-process behavior is tied to explicit CLI commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs nf commands such as login, new, install, build, start, publish, or editor.
Impact
Expected CLI effects: creates project files, installs dependencies, reads config/manifests, starts local loaders, or accesses NanoForge registry.
Mechanism
User-invoked project scaffolding, registry access, and package-manager command execution.
Rationale
Static source inspection found suspicious primitives, but they are package-aligned and activated by explicit CLI commands, with no lifecycle execution or unconsented persistence. No credential exfiltration, remote code execution payload, AI-agent control hijack, or destructive behavior was confirmed.
Evidence
package.jsondist/nf.jsdist/command.loader.jsREADME.mdnanoforge.config.jsonnanoforge.manifest.json.nanoforgerc.env.nanoforge/client.nanoforge/serverclient/componentsclient/systemsserver/componentsserver/systems
Network endpoints3
api.nanoforge.euregistry.nanoforge.eu/dashboard/registrylocalhost:3000
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks; only bin nf -> dist/nf.js.
- dist/nf.js bootstrap only registers CLI commands and parses argv; no install/import-time payload.
- Network use is limited to NanoForge registry/API endpoints for login/install/publish/unpublish.
- child_process spawn is used for user-invoked package manager, git, schematics, editor, loader, and process-tree cleanup operations.
- Credential handling is an explicit nf login API key flow stored via rc9 config, not broad env/secret harvesting.
- No writes to AI-agent control surfaces, shell startup files, VCS hooks, autostart entries, or foreign persistence locations found.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/command.loader.jsView file
8import { join as join$1, resolve } from "path";
L9: import { spawn } from "child_process";
L10: import * as process$1 from "node:process";
High
Child Process
Package source references child process execution.
dist/command.loader.jsView on unpkg · L8665stdio: collect ? "pipe" : "inherit",
L666: shell: true,
L667: env: {
High
dist/nf.jsView file
3Cross-file remote execution chain: dist/nf.js spawns dist/command.loader.js; helper contains network access plus dynamic code execution.
L3: import "reflect-metadata";
L4: import { execSync, spawn } from "node:child_process";
L5: import fs, { existsSync } from "fs";
...
L27: pidsToProcess[pid] = 1;
L28: switch (process.platform) {
L29: case "win32":
...
L86: let allData = "";
L87: ps.stdout.on("data", function(data) {
L88: allData += data.toString("ascii");
...
L109: const localBinPathSegments = [
L110: process.cwd(),
L111: "node_modules",
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/nf.jsView on unpkg · L3119const loadLocalBinCommandLoader = async () => {
L120: return (await import(posix.join(...localBinPathSegments, "command.loader.js"))).CommandLoader;
L121: };
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/nf.jsView on unpkg · L119Findings
3 High3 Medium4 Low
HighChild Processdist/command.loader.js
HighShelldist/command.loader.js
HighCross File Remote Execution Contextdist/nf.js
MediumDynamic Requiredist/nf.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings