registry  /  @nexus-cortex/cli  /  4.44.2

@nexus-cortex/cli@4.44.2

Nexus Cortex CLI - Terminal interface for multi-provider LLM orchestration

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 12 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 488 KB of source, external domains: browser.spitfire-products.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
bin/cortex.jsView file
24L25: import { spawn, spawnSync } from 'child_process'; L26: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

bin/cortex.jsView on unpkg · L24
6Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L6: * Usage: L7: * cortex "Read package.json and tell me the version" L8: * cortex --model deepseek-v4-flash "Explain generics" ... L24: L25: import { spawn, spawnSync } from 'child_process'; L26: import { fileURLToPath } from 'url'; ... L56: const CLI_PKG_ROOT = resolve(__cortex_dirname, '..'); L57: if (!process.env.CORTEX_ROOT) { L58: if (existsSync(join(MONOREPO_ROOT, '.cortex'))) process.env.CORTEX_ROOT = MONOREPO_ROOT; ... L62: const BASE_PORT = process.env.PORT || '4000'; L63: const BASE_URL = process.env.CORTEX_URL || `http://localhost:${BASE_PORT}`; L64:
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cortex.jsView on unpkg · L6
dist/commands/mcp/edit.jsView file
33stdio: 'inherit', L34: shell: true L35: });
High
Shell

Package source references shell execution.

dist/commands/mcp/edit.jsView on unpkg · L33
dist/commands/autoresearch/repoResolve.jsView file
13*/ L14: import { execFileSync } from 'node:child_process'; L15: import { createHash } from 'node:crypto'; ... L43: // Hard-disable any interactive credential/host prompt: PUBLIC repos only. L44: env: { ...process.env, GIT_TERMINAL_PROMPT: '0' }, L45: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/autoresearch/repoResolve.jsView on unpkg · L13
dist/commands/autoresearch/harnessProcess.jsView file
95log(`serve ${dir} on :${port}`); L96: const proc = spawn('node', [entry], { L97: cwd: dir, ... L101: // regardless of cwd, so a candidate's project-level config actually takes. L102: env: { ...process.env, PORT: String(port), PROJECT_PATH: dir, PROJECT_ROOT: dir, MODEL_ROUTER_RECORD: 'false' }, L103: stdio: ['ignore', 'ignore', 'pipe'], ... L108: proc.once('exit', () => { exited = true; }); L109: const url = `http://localhost:${port}`; L110: const stop = () => { try {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/autoresearch/harnessProcess.jsView on unpkg · L95

Findings

4 High3 Medium5 Low
HighChild Processbin/cortex.js
HighShelldist/commands/mcp/edit.js
HighEntrypoint Build Divergencebin/cortex.js
HighSame File Env Network Executiondist/commands/autoresearch/harnessProcess.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/commands/autoresearch/repoResolve.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings