AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The sensitive primitives are expected AI coding-agent features and require user/runtime configuration or explicit tool calls.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Importing the package does not activate risky behavior; runtime agent/tool/plugin APIs must be called by the host application or user.
Impact
No unconsented install-time or import-time compromise identified.
Mechanism
Package-aligned agent tooling with permission-gated shell/filesystem/network/plugin operations
Rationale
Static inspection shows dangerous primitives, but they are documented, package-aligned AI coding-agent capabilities and are not triggered at install/import time. I found no concrete exfiltration, hidden payload, or unconsented control-surface mutation.
Evidence
package.jsondist/index.jsdist/auth/index.jsdist/api/client.jsdist/tools/executor.jsdist/plugins/installer.jsdist/agent/loop.jsdist/mcp/manager.js~/.nexrall/config.json~/.nexrall/checkpoints/<key>~/.nexrall/plugins<workDir>/.nexrall/plugins<workDir>/.nexrall/mcp.json~/.nexrall/mcp.json
Network endpoints2
api.nexrall.comcodeload.github.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/tools/executor.js exposes user-permissioned shell, file write/delete, network fetch, image/stock download tools.
- dist/plugins/installer.js can download GitHub plugin tarballs and copy them into .nexrall/plugins when installPlugin is called.
- dist/agent/loop.js runs user/project/plugin hook commands via spawnSync during agent operation.
Evidence against
- package.json has no install/postinstall hook; prepublishOnly is publish-time only.
- dist/index.js only re-exports modules; no import-time execution beyond loading definitions.
- Network calls are package-aligned: api.nexrall.com for auth/chat/assets and codeload.github.com for explicit plugin installs.
- Auth reads NEXRALL_TOKEN or ~/.nexrall/config.json only to send bearer auth to api.nexrall.com.
- Shell/MCP/hooks/plugin behavior is user-configured or permission-gated runtime functionality for an AI coding agent.
- No credential harvesting, obfuscation, hidden persistence, destructive install behavior, or reviewer/prompt manipulation found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/checkpoint/manager.jsView file
42const crypto = __importStar(require("crypto"));
L43: const child_process_1 = require("child_process");
L44: // ─── Checkpoint / Rewind ────────────────────────────────────────────────────
...
L133: // polluting the real ~/.nexrall/checkpoints).
L134: const base = process.env.NEXRALL_CHECKPOINT_DIR || path.join(os.homedir(), '.nexrall', 'checkpoints');
L135: this.storeDir = path.join(base, key);
...
L221: return null;
L222: const hash = (r.stdout ?? '').trim();
L223: // Empty output = clean tree (nothing to snapshot). A dangling commit is
...
L332: existed: s.existed,
L333: content: s.content ? s.content.toString('base64') : null,
L334: })),
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/checkpoint/manager.jsView on unpkg · L42dist/plugins/installer.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @nexrall/code-core@1.0.1
matchedIdentity = npm:QG5leHJhbGwvY29kZS1jb3Jl:1.0.1
similarity = 0.941
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/plugins/installer.jsView on unpkgFindings
1 Critical2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/plugins/installer.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/checkpoint/manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings