registry  /  nuwax-file-server  /  1.3.3

nuwax-file-server@1.3.3

Cross-platform file service deployment tool with start/stop/restart CLI commands

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User starts the nuwax-file-server CLI/server and calls its HTTP APIs.
Impact
Remote or local API callers may execute commands and alter workspace agent configuration if the service is reachable and unauthenticated.
Mechanism
runtime workspace management and explicit agent hook/config mutation
Rationale
Static inspection supports a warning for dangerous runtime and AI-agent workspace control capabilities, but not a malicious block because there is no consumer install-time mutation, hardcoded exfiltration, stealth persistence, or remote payload execution independent of user/API input. The scanner reverse-shell hint is explained by local port/process probing in portUtils.js.
Evidence
package.jsondist/cli.jsdist/server.jsdist/routes/computerRoutes.jsdist/utils/computer/computerUtils.jsdist/utils/computer/hookConfigUtils.jsdist/utils/buildArg/portUtils.jsdist/scheduler/pnpmPruneScheduler.js/tmp/nuwax-file-server/server.pid.codex/hooks.json.codex/hooks.claude/settings.json.claude/hooks.mcp.json.opencode/plugins

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/routes/computerRoutes.js exposes runtime /execute-command API that runs caller-supplied commands in a workspace.
  • dist/utils/computer/hookConfigUtils.js can write .codex/hooks.json, .claude/settings.json, .mcp.json, hook scripts, and .opencode plugins from request-supplied config.
  • dist/utils/computer/computerUtils.js downloads user-supplied skillUrls and installs extracted skills into agent workspace directories.
  • dist/server.js serves broad file/workspace management APIs without visible auth middleware in inspected code.
Evidence against
  • package.json has no preinstall/install/postinstall; only prepublishOnly build script, not consumer install-time execution.
  • dist/cli.js only starts/stops/status-checks the local service and stores PID data under OS tmpdir.
  • dist/utils/buildArg/portUtils.js uses ss/netstat/lsof/ps only for local port and process discovery; no reverse shell endpoint found.
  • dist/scheduler/pnpmPruneScheduler.js runs fixed pnpm store prune/path and du commands, configurable by env but not a remote payload fetch.
  • No hardcoded exfiltration host, credential harvesting loop, destructive install-time mutation, or reviewer prompt injection found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 63 file(s), 305 KB of source, external domains: 127.0.0.1, registry.npmmirror.com

Source & flagged code

4 flagged · loading source
dist/scheduler/pnpmPruneScheduler.jsView file
1import o from"node-cron";import{exec as a}from"child_process";import"fs";import"path";import{log as e}from"../utils/log/logUtils.js";class h{constructor(s={}){this.config={enabled:... L2: `)}}async getStoreStatus(){try{const s=await this.runCommand("pnpm store path");if(!s.success)return null;const t=s.stdout.trim(),r=await this.runCommand(`du -sh "${t}"`),c=r.succe...
High
Child Process

Package source references child process execution.

dist/scheduler/pnpmPruneScheduler.jsView on unpkg · L1
dist/cli.jsView file
1#!/usr/bin/env node L2: import{Command as ee}from"commander";import{createRequire as te}from"module";import f from"path";import U from"os";import c from"fs-extra";import{spawn as E}from"cross-spawn";impor...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
dist/utils/buildArg/portUtils.jsView file
1import p from"fs";import G from"net";import{execSync as d}from"child_process";import{log as a}from"../log/logUtils.js";function E(t){if(!t||typeof t!="string")return;let n=t.match(... L2: `).filter(o=>o).map(o=>Number(o));if(s.length>0)return s}catch{}try{const n=`ps -eo pid,ppid | awk '$2==${t} {print $1}'`,r=d(n,{stdio:["ignore","pipe","ignore"],timeout:2e3,killSi... ... L7: `).filter(o=>o).map(o=>Number(o))}catch{return[]}}function I(t,n=1e4,r=500,e="default"){return new Promise(s=>{let o=!1,c=0;const i=Math.ceil(n/r);a(e,"INFO","Start waiting for lis... L8: `).reverse();for(const f of l){if(f.match(/^\[[\d\/\s:]+\]/)||/(EADDRINUSE|address already in use|Error:\s*listen)/i.test(f)||/^(\s|\t)*(code|errno|syscall|address|port)\s*:/i.test...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/utils/buildArg/portUtils.jsView on unpkg · L1
1import p from"fs";import G from"net";import{execSync as d}from"child_process";import{log as a}from"../log/logUtils.js";function E(t){if(!t||typeof t!="string")return;let n=t.match(... L2: `).filter(o=>o).map(o=>Number(o));if(s.length>0)return s}catch{}try{const n=`ps -eo pid,ppid | awk '$2==${t} {print $1}'`,r=d(n,{stdio:["ignore","pipe","ignore"],timeout:2e3,killSi... ... L7: `).filter(o=>o).map(o=>Number(o))}catch{return[]}}function I(t,n=1e4,r=500,e="default"){return new Promise(s=>{let o=!1,c=0;const i=Math.ceil(n/r);a(e,"INFO","Start waiting for lis... L8: `).reverse();for(const f of l){if(f.match(/^\[[\d\/\s:]+\]/)||/(EADDRINUSE|address already in use|Error:\s*listen)/i.test(f)||/^(\s|\t)*(code|errno|syscall|address|port)\s*:/i.test...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/buildArg/portUtils.jsView on unpkg · L1

Findings

1 Critical4 High3 Medium5 Low
CriticalReverse Shelldist/utils/buildArg/portUtils.js
HighChild Processdist/scheduler/pnpmPruneScheduler.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighSandbox Evasion Gated Capabilitydist/utils/buildArg/portUtils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings