registry  /  @nexus-cortex/cli  /  4.45.0

@nexus-cortex/cli@4.45.0

Nexus Cortex CLI - Terminal interface for multi-provider LLM orchestration

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface was confirmed. The main residual risk is first-party Nexus Cortex runtime setup that seeds package-owned agent/skill/config directories under ~/.cortex when the CLI is run.

Static reason
No blocking static signals were detected.
Trigger
User runs the cortex CLI or explicit subcommands such as agent, mcp init, config set, update, uninstall, or autoresearch.
Impact
Can create or update first-party ~/.cortex scaffolding and run user-requested local commands; no evidence of unconsented exfiltration or foreign control hijack.
Mechanism
First-party AI-agent CLI with local server orchestration, runtime scaffold sync, and explicit config/benchmark command execution.
Rationale
Source inspection found no concrete malicious chain, credential exfiltration, remote payload execution, or install-time mutation. Because the package performs first-party AI-agent scaffold setup under ~/.cortex at runtime, mark as suspicious/warn rather than block or clean.
Evidence
package.jsonbin/cortex.jsdist/lifecycle/updateCheck.jsdist/commands/mcp/init.jsdist/commands/mcp/edit.jsdist/commands/config/set.jsdist/commands/config/init.jsdist/commands/uninstall.jsdist/commands/autoresearch/fix.jsdist/commands/autoresearch/harnessProcess.jsdist/commands/autoresearch/commandRunner.js~/.cortex/.env~/.cortex/.update-check~/.cortex/server.log~/.cortex/{agents,skills,commands,system-messages}~/.cortex/builtinMCP_CONFIG.md.cortex/experiments.jsonl.cortex/router-matrix.jsonl.cortex/research-backlog.jsonl
Network endpoints4
localhost:4000localhost:4001registry.npmjs.org/nexus-cortex/latestbrowser.spitfire-products.com/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/lifecycle/updateCheck.js syncBuiltinScaffold seeds ~/.cortex/{agents,skills,commands,system-messages} and copies package .cortex to ~/.cortex/builtin on CLI startup
  • bin/cortex.js agent/run mode sets YOLO=true and auto-starts a local server when explicitly invoked
  • dist/commands/mcp/init.js can create MCP_CONFIG.md with nexus-browser enabled, but only via explicit mcp init command
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • Network use is package-aligned: localhost Cortex server/client and npm registry update check
  • Config writes are first-party ~/.cortex or explicit user commands; no credential harvesting or exfiltration found
  • Shell/process execution is user-invoked CLI functionality for starting server, editor, npm update/build, git, and benchmark commands
  • No obfuscation, remote payload loading, destructive install-time behavior, or foreign AI-agent control-surface mutation found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 107 file(s), 504 KB of source, external domains: browser.spitfire-products.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
bin/cortex.jsView file
24L25: import { spawn, spawnSync } from 'child_process'; L26: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

bin/cortex.jsView on unpkg · L24
6Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L6: * Usage: L7: * cortex "Read package.json and tell me the version" L8: * cortex --model deepseek-v4-flash "Explain generics" ... L24: L25: import { spawn, spawnSync } from 'child_process'; L26: import { fileURLToPath } from 'url'; ... L56: const CLI_PKG_ROOT = resolve(__cortex_dirname, '..'); L57: if (!process.env.CORTEX_ROOT) { L58: if (existsSync(join(MONOREPO_ROOT, '.cortex'))) process.env.CORTEX_ROOT = MONOREPO_ROOT; ... L62: const BASE_PORT = process.env.PORT || '4000'; L63: const BASE_URL = process.env.CORTEX_URL || `http://localhost:${BASE_PORT}`; L64:
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cortex.jsView on unpkg · L6
dist/commands/mcp/edit.jsView file
33stdio: 'inherit', L34: shell: true L35: });
High
Shell

Package source references shell execution.

dist/commands/mcp/edit.jsView on unpkg · L33
dist/commands/autoresearch/repoResolve.jsView file
13*/ L14: import { execFileSync } from 'node:child_process'; L15: import { createHash } from 'node:crypto'; ... L43: // Hard-disable any interactive credential/host prompt: PUBLIC repos only. L44: env: { ...process.env, GIT_TERMINAL_PROMPT: '0' }, L45: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/autoresearch/repoResolve.jsView on unpkg · L13
dist/commands/autoresearch/harnessProcess.jsView file
95log(`serve ${dir} on :${port}`); L96: const proc = spawn('node', [entry], { L97: cwd: dir, ... L101: // regardless of cwd, so a candidate's project-level config actually takes. L102: env: { ...process.env, PORT: String(port), PROJECT_PATH: dir, PROJECT_ROOT: dir, MODEL_ROUTER_RECORD: 'false' }, L103: stdio: ['ignore', 'ignore', 'pipe'], ... L108: proc.once('exit', () => { exited = true; }); L109: const url = `http://localhost:${port}`; L110: const stop = () => { try {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/autoresearch/harnessProcess.jsView on unpkg · L95

Findings

4 High3 Medium5 Low
HighChild Processbin/cortex.js
HighShelldist/commands/mcp/edit.js
HighEntrypoint Build Divergencebin/cortex.js
HighSame File Env Network Executiondist/commands/autoresearch/harnessProcess.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/commands/autoresearch/repoResolve.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings