nodespace-core
NodeSpaceAI/nodespace-coreNodeSpace AI-native knowledge management system with plugin architecture
Do not install this package
We found dangerous patterns that could harm your computer or steal your data. This package runs hidden code automatically when you install it. Unless you are 100% sure you trust the author and have reviewed the code yourself, do not install this.
What We Found(39 issues)
Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.
DO NOT INSTALL. This package runs code BEFORE you can even see what it does. Almost no legitimate package needs this. It's like a delivery driver demanding to enter your house before you can check what's in the box.
Technical details
Any preinstall script is suspicious. Legitimate packages almost never need to run code before installation. This hook executes before the user can inspect the package.
"preinstall": "node enforce-bun.js"DO NOT INSTALL. This package runs code BEFORE you can even see what it does. Almost no legitimate package needs this. It's like a delivery driver demanding to enter your house before you can check what's in the box.
Technical details
Any preinstall script is suspicious. Legitimate packages almost never need to run code before installation. This hook executes before the user can inspect the package.
"preinstall": "node ../../enforce-bun.js"Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.
Technical details
Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.
import { execSync } from 'child_process'Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.
Technical details
Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.
import { exec } from 'child_process'Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
execSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawnSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawn(Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.
Technical details
Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.
process.env.GITHUB_TOKENCaution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.
Technical details
Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.
process.env.GITHUB_TOKENCaution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.
Technical details
Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.
process.env.GITHUB_TOKENRisky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.
Technical details
Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.
import (bFinding Summary
2
Critical
35
High
2
Medium
0
Low
0
Info