registry  /  @launchsecure/launch-kit  /  0.0.47

@launchsecure/launch-kit@0.0.47

LaunchSecure toolkit — launch-sequencer (pipeline runner + terminal bridge), launch-radar (feedback webhook receiver), launch-chart (project graph MCP), launch-deck (visual playground MCP), launch-kit-beacon (feedback Web Component), launch-recall (file-w

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI toolkit that bootstraps LaunchSecure projects, configures local MCP entries, provisions optional Cloudflare access, and runs user-invoked agent/worktree automation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs declared CLI bins such as launch-kit, launch-radar, launch-orbit, or launch-rover
Impact
Potentially broad local automation if intentionally enabled, but aligned with package purpose and not install-time or covert
Mechanism
User-invoked project automation and MCP/agent configuration
Rationale
Static inspection found high-privilege CLI capabilities and AI-agent/MCP configuration writes, but they are declared, user-invoked, and consistent with the LaunchSecure automation product. No lifecycle execution, covert credential exfiltration, obfuscation, or unconsented agent control-surface mutation was confirmed.
Evidence
package.jsondist/server/init-entry.jsdist/server/cli.jsdist/server/orbit-entry.jsdist/server/rover-entry.js.mcp.json.codex/config.toml~/.claude/.radar-oauth-token~/.claude/.credentials.json~/.claude.json.launchpod/radar.json.launchpod/screenshots/*.claude/worktrees/*
Network endpoints4
launchsecure-v2.vercel.appapi.cloudflare.com/client/v4localhost:4177configured LS_SERVER_URL/LAUNCHSECURE_URL

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/server/cli.js writes .mcp.json and .codex/config.toml with LaunchSecure MCP entries during user CLI flow
  • dist/server/cli.js can spawn unattended Claude sessions for radar feedback handling with dangerouslySkipPermissions
  • dist/server/orbit-entry.js runs git, package-manager install, prisma, tsc, lint, and build commands in worktrees
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • Risky behavior is exposed through declared bins, not import-time or install-time execution
  • dist/server/init-entry.js Cloudflare and LaunchSecure calls use user-supplied LS_PAT/cloud tokens for documented setup/provisioning
  • dist/server/cli.js token persistence writes local ~/.claude/.radar-oauth-token; no credential harvesting loop or arbitrary exfiltration found
  • Network hosts are package-aligned: launchsecure-v2.vercel.app, api.cloudflare.com, configured LS_SERVER_URL/LAUNCHSECURE_URL
  • No obfuscated payload, persistence outside declared config, destructive filesystem action, or dependency-confusion behavior found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 9.53 MB of source, external domains: 127.0.0.1, api.cloudflare.com, automatewith.us, cdn.jsdelivr.net, chevrotain.io, d3js.org, en.wikipedia.org, fb.me, fetch.spec.whatwg.org, fonts.googleapis.com, get.docker.com, git-scm.com, github.com, github.com.helper, jquery.org, langium.org, launchsecure-v2.vercel.app, mimesniff.spec.whatwg.org, openrouter.ai, orbit.dev, pro.reactflow.dev, radix-ui.com, randomuser.me, reactflow.dev, reactjs.org, revealjs.com, tldrlegal.com, unpkg.com, webidl.spec.whatwg.org, wiredjs.com, www.docker.com, www.w3.org

Source & flagged code

12 flagged · loading source
dist/server/orbit-entry.jsView file
35try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd,
High
Child Process

Package source references child process execution.

dist/server/orbit-entry.jsView on unpkg · L35
35Cross-file remote execution chain: dist/server/orbit-entry.js spawns dist/server/graph-mcp-entry.js; helper contains network access plus dynamic code execution. L35: try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd, ... L171: try { L172: const parsed = JSON.parse((0, import_node_fs3.readFileSync)(REGISTRY_PATH, "utf-8")); L173: if (parsed?.version === 1 && parsed.worktrees && typeof parsed.worktrees === "object") { ... L264: init_launch_kit_paths(); L265: REGISTRY_DIR = (0, import_node_path2.join)((0, import_node_os.homedir)(), LAUNCHSECURE_DIR, "orbit"); L266: REGISTRY_PATH = (0, import_node_path2.join)(REGISTRY_DIR, "state.json"); ... L497: const m = /^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$/.exec(ref); L498: if (m) return process.env[m[1]] ?? null; L499: return ref || null;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server/orbit-entry.jsView on unpkg · L35
1594ctx.logger.step(`[build-lint] ${installCmd}`); L1595: const installRes = (0, import_node_child_process6.spawnSync)("bash", ["-c", `cd ${shellQuote2(checkPath)} && ${installCmd}`], { L1596: stdio: ["ignore", "pipe", "pipe"], ... L1607: if ((0, import_node_fs8.existsSync)((0, import_node_path6.join)(checkPath, "prisma", "schema.prisma"))) { L1608: const prismaCmd = "npx prisma generate"; L1609: ctx.logger.step(`[build-lint] ${prismaCmd}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/orbit-entry.jsView on unpkg · L1594
59"use strict"; L60: import_node_child_process = require("node:child_process"); L61: import_node_fs = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/orbit-entry.jsView on unpkg · L59
dist/server/rover-entry.jsView file
1851init_types(); L1852: execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile); L1853: DEFAULT_IMAGE = "ghcr.io/launchsecure/launch-pod:latest"; L1854: GHCR_REGISTRY = "ghcr.io"; L1855: GHCR_USERNAME = process.env.GHCR_PULL_USERNAME ?? "ghcr-pull"; L1856: MANAGED_LABEL = "launch-rover.managed"; ... L1865: if (port == null || !Number.isFinite(port) || port <= 0) return null; L1866: return `http://127.0.0.1:${port}`; L1867: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/rover-entry.jsView on unpkg · L1851
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L415: try { L416: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L417: encoding: "utf-8",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L415: try { L416: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L417: encoding: "utf-8",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L415: try { L416: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L417: encoding: "utf-8",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/rover-entry.jsView on unpkg · L37
dist/server/cli.jsView file
241for (let i = 0; i < str.length; ++i) { L242: bytes.push(str.charCodeAt(i)); L243: } ... L567: "claude-code", L568: path13.join(process.env.HOME || "/", ".claude", "local", "claude"), L569: path13.join(process.env.HOME || "/", ".local", "bin", "claude"), ... L587: try { L588: require("child_process").execFileSync("which", [command], { stdio: "ignore" }); L589: return true; ... L598: const { L599: workingDir = process.cwd(), L600: dangerouslySkipPermissions = false,
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/server/cli.jsView on unpkg · L241
241Trigger-reachable chain: manifest.bin -> dist/server/cli.js L241: for (let i = 0; i < str.length; ++i) { L242: bytes.push(str.charCodeAt(i)); L243: } ... L567: "claude-code", L568: path13.join(process.env.HOME || "/", ".claude", "local", "claude"), L569: path13.join(process.env.HOME || "/", ".local", "bin", "claude"), ... L587: try { L588: require("child_process").execFileSync("which", [command], { stdio: "ignore" }); L589: return true; ... L598: const { L599: workingDir = process.cwd(), L600: dangerouslySkipPermissions = false,
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg · L241
dist/server/council-entry.jsView file
1423} catch (err) { L1424: process.stderr.write(`[launch-council] parse error: ${err} L1425: `); ... L1433: } L1434: var import_node_http2, import_node_path6, import_node_child_process3, import_node_fs6, import_node_os2, SERVER_INFO, TOOLS; L1435: var init_council_mcp = __esm({ ... L1437: "use strict"; L1438: import_node_http2 = __toESM(require("node:http")); L1439: import_node_path6 = require("node:path");
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server/council-entry.jsView on unpkg · L1423
scaffolds/migrate-safety/scripts/migrate-with-backup.shView file
path = scaffolds/migrate-safety/scripts/migrate-with-backup.sh kind = build_helper sizeBytes = 12750 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scaffolds/migrate-safety/scripts/migrate-with-backup.shView on unpkg

Findings

2 Critical6 High6 Medium7 Low
CriticalCredential Exfiltrationdist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
HighChild Processdist/server/orbit-entry.js
HighSame File Env Network Executiondist/server/rover-entry.js
HighCommand Output Exfiltrationdist/server/council-entry.js
HighSandbox Evasion Gated Capabilitydist/server/rover-entry.js
HighCross File Remote Execution Contextdist/server/orbit-entry.js
HighRuntime Package Installdist/server/orbit-entry.js
MediumDynamic Requiredist/server/orbit-entry.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/rover-entry.js
MediumShips Build Helperscaffolds/migrate-safety/scripts/migrate-with-backup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/rover-entry.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings