registry  /  @smart-coder-labs/nexusmind-mcp  /  0.7.3

@smart-coder-labs/nexusmind-mcp@0.7.3

NexusMind MCP server for Claude Code and Cursor — team memory that persists across sessions

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs nexusmind setup and approves the resulting Codex hooks.
Impact
Agent-session content can be transmitted to the configured NexusMind service; the Stop hook can delay completion once per session.
Mechanism
User-invoked AI-agent hook installation and memory synchronization.
Rationale
Source confirms a user-invoked, persistent agent-extension setup with session-content transmission and a completion gate, but no lifecycle-triggered or covert malicious chain. Warn rather than block because Codex requires explicit hook approval and package installation alone is inert.
Evidence
package.jsondist/setup.jsdist/hooks/_helpers.jsdist/hooks/stop.jsdist/client.jsREADME.md
Network endpoints2
nexusmind-backend.fly.dev/v1/healthnexusmind-backend.fly.dev/v1/memory/store

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/setup.js explicitly writes Codex hook registrations and copies hook code to ~/.nexusmind/hook-runtime.
  • Configured hooks read Codex transcript data and send selected content to the NexusMind API.
  • dist/hooks/stop.js can emit a Codex block decision to keep a turn active.
  • Hooks default to nexusmind-backend.fly.dev when an API key is present.
Evidence against
  • package.json has no preinstall, install, or postinstall hook.
  • Setup is an explicit interactive command; Codex hooks require separate user approval.
  • Child-process use is limited to codex registration/version checks and Windows setx.
  • No eval, downloaded code execution, credential harvesting, or unrelated exfiltration found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 19 file(s), 280 KB of source, external domains: github.com, nexusmind-backend.fly.dev

Source & flagged code

5 flagged · loading source
dist/hooks/_helpers.jsView file
5// format/emit output the way Codex expects. L6: import { spawnSync } from 'node:child_process'; L7: import { basename } from 'node:path';
High
Child Process

Package source references child process execution.

dist/hooks/_helpers.jsView on unpkg · L5
5// format/emit output the way Codex expects. L6: import { spawnSync } from 'node:child_process'; L7: import { basename } from 'node:path'; L8: import { readFile } from 'node:fs/promises'; L9: export const DEFAULT_BASE_URL = 'https://nexusmind-backend.fly.dev'; L10: export const HEALTH_TIMEOUT_MS = 5000; ... L13: function envInt(name, fallback) { L14: const raw = process.env[name]; L15: if (!raw)
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/hooks/_helpers.jsView on unpkg · L5
dist/setup.jsView file
137return; L138: const res = spawnSync('setx', [name, value], { stdio: 'ignore', shell: true }); L139: if (!res.error && res.status === 0) {
High
Shell

Package source references shell execution.

dist/setup.jsView on unpkg · L137
13import * as readline from 'node:readline/promises'; L14: import { stdin as input, stdout as output } from 'node:process'; L15: import { spawnSync } from 'node:child_process'; L16: import { verifyCredentials, maskKey } from './verify.js'; L17: // ── Paths ───────────────────────────────────────────────────────────────────── L18: const HOME = homedir(); L19: const CLAUDE_JSON_PATH = join(HOME, '.claude.json'); ... L33: function codexHomeDir() { L34: return process.env.CODEX_HOME || join(HOME, '.codex'); L35: } ... L56: try { L57: return JSON.parse(readFileSync(path, 'utf8'));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup.jsView on unpkg · L13
dist/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @smart-coder-labs/nexusmind-mcp@0.6.2 matchedIdentity = npm:[redacted]:0.6.2 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/doctor.jsView on unpkg

Findings

4 High3 Medium6 Low
HighChild Processdist/hooks/_helpers.js
HighShelldist/setup.js
HighSame File Env Network Executiondist/hooks/_helpers.js
HighPrevious Version Dangerous Deltadist/doctor.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License