AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malware was confirmed, but the package has a runtime extension lifecycle surface in Nexus: loading the bundle can update/apply a nexGear3 Nexus package from unpkg. This is package-aligned but modifies client reflex/package state.
Decision evidence
public snapshot- dist/nexGear.min.js auto-fetches https://unpkg.com/nexgear/nexGear3.nxs at runtime when nexusclient exists and applies it to nexusclient packages().get('nexGear3').
- dist/nexGear3.nxs onInstall runs SystemLoaded, which dynamically imports https://unpkg.com/nexgear/dist/nexGear.min.js.
- dist/nexGear3.nxs defines Nexus aliases/triggers that send in-game gear commands and update nexusclient.variables().vars.nexGear.
- package.json has no preinstall/install/postinstall lifecycle hooks and no bin entrypoint.
- Network endpoints are package-aligned unpkg URLs for nexgear assets, not arbitrary exfiltration hosts.
- Inspected source shows UI/gear-manager behavior for Achaea Nexus, with no credential/env/file harvesting or shell execution.
- State changes are limited to DOM modal creation, nexusclient variables/reflexes, and in-game gear command automation.
Source & flagged code
2 flagged · loading sourcedist/nexGear.min.js auto-fetches https://unpkg.com/nexgear/nexGear3.nxs at runtime when nexusclient exists and applies it to nexusclient packages().get('nexGear3').
dist/nexGear.min.jsView on unpkgdist/nexGear3.nxs onInstall runs SystemLoaded, which dynamically imports https://unpkg.com/nexgear/dist/nexGear.min.js.
unpkg.com/nexgear/dist/nexGear.min.jsView on unpkg