registry  /  @nexrall/code-core  /  1.1.0

@nexrall/code-core@1.1.0

Core agent loop, tools, and extension primitives for Nexrall Code — embed an AI coding agent in any Node.js application.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The sensitive primitives are expected AI coding-agent features and require user/runtime configuration or explicit tool calls.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Importing the package does not activate risky behavior; runtime agent/tool/plugin APIs must be called by the host application or user.
Impact
No unconsented install-time or import-time compromise identified.
Mechanism
Package-aligned agent tooling with permission-gated shell/filesystem/network/plugin operations
Rationale
Static inspection shows dangerous primitives, but they are documented, package-aligned AI coding-agent capabilities and are not triggered at install/import time. I found no concrete exfiltration, hidden payload, or unconsented control-surface mutation.
Evidence
package.jsondist/index.jsdist/auth/index.jsdist/api/client.jsdist/tools/executor.jsdist/plugins/installer.jsdist/agent/loop.jsdist/mcp/manager.js~/.nexrall/config.json~/.nexrall/checkpoints/<key>~/.nexrall/plugins<workDir>/.nexrall/plugins<workDir>/.nexrall/mcp.json~/.nexrall/mcp.json
Network endpoints2
api.nexrall.comcodeload.github.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/tools/executor.js exposes user-permissioned shell, file write/delete, network fetch, image/stock download tools.
  • dist/plugins/installer.js can download GitHub plugin tarballs and copy them into .nexrall/plugins when installPlugin is called.
  • dist/agent/loop.js runs user/project/plugin hook commands via spawnSync during agent operation.
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly is publish-time only.
  • dist/index.js only re-exports modules; no import-time execution beyond loading definitions.
  • Network calls are package-aligned: api.nexrall.com for auth/chat/assets and codeload.github.com for explicit plugin installs.
  • Auth reads NEXRALL_TOKEN or ~/.nexrall/config.json only to send bearer auth to api.nexrall.com.
  • Shell/MCP/hooks/plugin behavior is user-configured or permission-gated runtime functionality for an AI coding agent.
  • No credential harvesting, obfuscation, hidden persistence, destructive install behavior, or reviewer/prompt manipulation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 238 KB of source, external domains: api.nexrall.com, codeload.github.com, nexrall.com

Source & flagged code

2 flagged · loading source
dist/checkpoint/manager.jsView file
42const crypto = __importStar(require("crypto")); L43: const child_process_1 = require("child_process"); L44: // ─── Checkpoint / Rewind ──────────────────────────────────────────────────── ... L133: // polluting the real ~/.nexrall/checkpoints). L134: const base = process.env.NEXRALL_CHECKPOINT_DIR || path.join(os.homedir(), '.nexrall', 'checkpoints'); L135: this.storeDir = path.join(base, key); ... L221: return null; L222: const hash = (r.stdout ?? '').trim(); L223: // Empty output = clean tree (nothing to snapshot). A dangling commit is ... L332: existed: s.existed, L333: content: s.content ? s.content.toString('base64') : null, L334: })),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/checkpoint/manager.jsView on unpkg · L42
dist/plugins/installer.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @nexrall/code-core@1.0.1 matchedIdentity = npm:QG5leHJhbGwvY29kZS1jb3Jl:1.0.1 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/plugins/installer.jsView on unpkg

Findings

1 Critical2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/plugins/installer.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/checkpoint/manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings