registry  /  @smart-coder-labs/nexusmind-mcp  /  0.5.1

@smart-coder-labs/nexusmind-mcp@0.5.1

NexusMind MCP server for Claude Code and Cursor — team memory that persists across sessions

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 12 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 9 file(s), 189 KB of source, external domains: nexusmind-backend.fly.dev

Source & flagged code

4 flagged · loading source
dist/hooks/_helpers.jsView file
5// format/emit output the way Codex expects. L6: import { spawnSync } from 'node:child_process'; L7: import { basename } from 'node:path';
High
Child Process

Package source references child process execution.

dist/hooks/_helpers.jsView on unpkg · L5
5// format/emit output the way Codex expects. L6: import { spawnSync } from 'node:child_process'; L7: import { basename } from 'node:path'; L8: export const DEFAULT_BASE_URL = 'https://nexusmind-backend.fly.dev'; L9: export const HEALTH_TIMEOUT_MS = 5000; ... L12: function envInt(name, fallback) { L13: const raw = process.env[name]; L14: if (!raw)
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/hooks/_helpers.jsView on unpkg · L5
dist/setup.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @smart-coder-labs/nexusmind-mcp@0.5.0 matchedIdentity = npm:[redacted]:0.5.0 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/setup.jsView on unpkg
13import * as readline from 'node:readline/promises'; L14: import { stdin as input, stdout as output } from 'node:process'; L15: import { spawnSync } from 'node:child_process'; L16: // ── Paths ───────────────────────────────────────────────────────────────────── L17: const HOME = homedir(); L18: const CLAUDE_JSON_PATH = join(HOME, '.claude.json'); ... L30: function codexHomeDir() { L31: return process.env.CODEX_HOME || join(HOME, '.codex'); L32: } ... L53: try { L54: return JSON.parse(readFileSync(path, 'utf8')); L55: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup.jsView on unpkg · L13

Findings

4 High3 Medium5 Low
HighChild Processdist/hooks/_helpers.js
HighShell
HighSame File Env Network Executiondist/hooks/_helpers.js
HighPrevious Version Dangerous Deltadist/setup.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License