registry  /  genius-cortex  /  3.2.2

genius-cortex@3.2.2

Genius Cortex — multi-repo orchestration platform for Genius Team projects

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Confirmed remote-code-execution capability: explicit project upgrade/import operations download scripts from a mutable GitHub branch and pipe them to Bash. No malicious install-time chain or covert exfiltration was confirmed.

Static reason
No blocking static signals were detected.
Trigger
User runs `cortex upgrade` or starts the dashboard and invokes import/compatibility actions.
Impact
A compromised upstream GitHub branch can execute arbitrary shell code with the invoking user's permissions in registered project directories.
Mechanism
Unpinned curl-to-bash execution of remote Genius Team scripts.
Rationale
Source inspection confirms a dangerous unpinned remote execution path, but it is user-triggered functionality rather than stealthy install-time malware. Warn rather than block.
Evidence
package.jsondist/core/gt-source.jsdist/cli/upgrade.jsdist/api/server.jsdist/cli/init.jsdist/index.jsscripts/add.shscripts/upgrade.sh.genius/bin/genius-start~/.claude/CLAUDE.md~/.claude/settings.json
Network endpoints1
raw.githubusercontent.com/w-3-art/genius-team/main/scripts

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/core/gt-source.js` builds `bash <(curl -fsSL ...)` from a mutable GitHub `main` path.
  • `dist/cli/upgrade.js` executes that remote command for `cortex upgrade` targets.
  • `dist/api/server.js` runs the same remote add/upgrade scripts through `/api/import` and related compatibility flows.
  • `dist/index.js` exposes `dashboard`, which starts the local API server.
  • `dist/cli/init.js` can add a Claude SessionStart hook and managed CLAUDE.md content after interactive init.
Evidence against
  • `package.json` has only `prepare: npm run build`; no preinstall/install/postinstall hook.
  • Remote script execution is reached by explicit upgrade/import/dashboard actions, not package import or install.
  • Claude configuration writes are first-party Cortex entries performed during `cortex init`, not lifecycle execution.
  • `dist/index.js` update check only queries npm registry metadata and caches the result.
  • No source evidence of credential harvesting, covert exfiltration, or destructive behavior outside explicit uninstall purge.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 474 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, raw.githubusercontent.com, registry.npmjs.org, tauri.localhost

Source & flagged code

2 flagged · loading source
dist/core/registry.jsView file
10const path_1 = require("path"); L11: const child_process_1 = require("child_process"); L12: const config_1 = require("./config");
High
Child Process

Package source references child process execution.

dist/core/registry.jsView on unpkg · L10
dist/api/server.jsView file
417if (url.startsWith('/api/portfolio/intelligence')) { L418: const params = new URL(`http://x${url}`).searchParams; L419: const repoName = params.get('repo'); ... L425: try { L426: const { execSync } = require('child_process'); L427: const PATH = `/opt/homebrew/bin:/usr/local/bin:${process.env.PATH}`; L428: const ver = execSync('claude --version', { encoding: 'utf-8', timeout: 5000, env: { ...process.env, PATH } }).trim();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/api/server.jsView on unpkg · L417

Findings

3 High2 Medium5 Low
HighChild Processdist/core/registry.js
HighShell
HighSame File Env Network Executiondist/api/server.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings