registry  /  @launchsecure/launch-kit  /  0.0.48

@launchsecure/launch-kit@0.0.48

LaunchSecure toolkit — launch-sequencer (pipeline runner + terminal bridge), launch-radar (feedback webhook receiver), launch-chart (project graph MCP), launch-deck (visual playground MCP), launch-kit-beacon (feedback Web Component), launch-recall (file-w

AI Security Review

scanned 12d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs launch-kit init/refresh/statusline, launch-mood init, radar services, or MCP tools
Impact
Can grant LaunchSecure tools and spawned agents broad project access, run package-managed MCP servers via npx, and modify project/home agent settings when the user opts in
Mechanism
User-invoked Claude/MCP scaffolding and unattended agent execution with optional/embedded permission bypass
Policy narrative
A user-invoked bootstrap/refresh can wire LaunchSecure MCP servers, Claude plugins, hooks, statusline scripts, and recall watchers into a project or Claude home config. Radar/agent flows can spawn Claude or Codex with dangerous permission bypass to work unattended from LaunchSecure events. I did not find consumer install-time execution or covert credential exfiltration; the risky behavior is documented, package-aligned agent automation activated by explicit commands.
Rationale
Because the broad Claude/MCP control-surface writes are not lifecycle-triggered and appear to be the package's documented purpose, this does not meet the block policy for unconsented AI-agent control hijack. The package should be warned for high-risk agent extension and permission-bypass capabilities.
Evidence
package.jsondist/server/init-entry.jsdist/server/mood-entry.jsdist/server/cli.jsdist/server/orbit-entry.jsscaffolds/recall-hook/scripts/ensure-recall.shscaffolds/ls-marketplace/plugins/kit/commands/activate-statusline.md.mcp.json.codex/config.toml.claude/settings.json.claude/commands/mood.md.claude/behavior/CLAUDE.md.launch-secure.cred.configscripts/ensure-recall.sh~/.claude/settings.json~/.launchsecure/statusline-wrapper.sh~/.claude/.credentials.json~/.claude.json
Network endpoints5
launchsecure-v2.vercel.appgithub.com/prajyot-tote/starter-template.gitgithub.com/launchsecure/launchsecure-v2*.trycloudflare.comCloudflare API via configured token

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/server/init-entry.js init/refresh writes .mcp.json and .claude/settings.json scaffolds for LaunchSecure tools
  • dist/server/mood-entry.js user-run `launch-mood init` writes .claude/settings.json hooks, .claude/commands/mood.md, and .mcp.json with @latest npx server
  • dist/server/cli.js can spawn Claude/Codex sessions with dangerous permission bypass for radar/agent workflows
  • scaffolds/recall-hook/scripts/ensure-recall.sh is a Claude SessionStart hook that respawns launch-recall watcher via npx
  • scaffolds/ls-marketplace/plugins/kit contains Claude plugin skills/commands that instruct MCP usage and project edits
Evidence against
  • package.json has no install/postinstall/prepare consumer lifecycle hook; only prepublishOnly build
  • Agent/MCP/control-surface writes are tied to explicit CLI commands such as init, refresh, statusline activate, and launch-mood init
  • LaunchSecure network use is package-aligned: project MCP, radar webhook, OIDC/Cloudflare provisioning, and GitHub setup
  • Secrets are read from explicit env/cred config and used for LaunchSecure/GitHub/Cloudflare workflows; no hidden exfil path confirmed
  • MCP config uses headersHelper for launch-secure instead of embedding PAT in .mcp.json
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 92 file(s), 9.79 MB of source, external domains: 127.0.0.1, api.cloudflare.com, automatewith.us, cdn.jsdelivr.net, chevrotain.io, d3js.org, en.wikipedia.org, fb.me, fetch.spec.whatwg.org, fonts.googleapis.com, get.docker.com, git-scm.com, github.com, github.com.helper, jquery.org, langium.org, launchsecure-v2.vercel.app, mimesniff.spec.whatwg.org, openrouter.ai, orbit.dev, pro.reactflow.dev, radix-ui.com, randomuser.me, reactflow.dev, reactjs.org, revealjs.com, tldrlegal.com, unpkg.com, webidl.spec.whatwg.org, wiredjs.com, www.docker.com, www.w3.org

Source & flagged code

13 flagged · loading source
dist/server/orbit-entry.jsView file
35try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd,
High
Child Process

Package source references child process execution.

dist/server/orbit-entry.jsView on unpkg · L35
35Cross-file remote execution chain: dist/server/orbit-entry.js spawns dist/server/graph-mcp-entry.js; helper contains network access plus dynamic code execution. L35: try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd, ... L171: try { L172: const parsed = JSON.parse((0, import_node_fs3.readFileSync)(REGISTRY_PATH, "utf-8")); L173: if (parsed?.version === 1 && parsed.worktrees && typeof parsed.worktrees === "object") { ... L264: init_launch_kit_paths(); L265: REGISTRY_DIR = (0, import_node_path2.join)((0, import_node_os.homedir)(), LAUNCHSECURE_DIR, "orbit"); L266: REGISTRY_PATH = (0, import_node_path2.join)(REGISTRY_DIR, "state.json"); ... L497: const m = /^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$/.exec(ref); L498: if (m) return process.env[m[1]] ?? null; L499: return ref || null;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server/orbit-entry.jsView on unpkg · L35
1594ctx.logger.step(`[build-lint] ${installCmd}`); L1595: const installRes = (0, import_node_child_process6.spawnSync)("bash", ["-c", `cd ${shellQuote2(checkPath)} && ${installCmd}`], { L1596: stdio: ["ignore", "pipe", "pipe"], ... L1607: if ((0, import_node_fs8.existsSync)((0, import_node_path6.join)(checkPath, "prisma", "schema.prisma"))) { L1608: const prismaCmd = "npx prisma generate"; L1609: ctx.logger.step(`[build-lint] ${prismaCmd}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/orbit-entry.jsView on unpkg · L1594
59"use strict"; L60: import_node_child_process = require("node:child_process"); L61: import_node_fs = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/orbit-entry.jsView on unpkg · L59
dist/server/rover-entry.jsView file
1864init_types(); L1865: execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile); L1866: DEFAULT_IMAGE = "ghcr.io/launchsecure/launch-pod:latest"; L1867: GHCR_REGISTRY = "ghcr.io"; L1868: GHCR_USERNAME = process.env.GHCR_PULL_USERNAME ?? "ghcr-pull"; L1869: MANAGED_LABEL = "launch-rover.managed"; ... L1878: if (port == null || !Number.isFinite(port) || port <= 0) return null; L1879: return `http://127.0.0.1:${port}`; L1880: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/rover-entry.jsView on unpkg · L1864
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L426: try { L427: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L428: encoding: "utf-8",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L426: try { L427: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L428: encoding: "utf-8",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L426: try { L427: version = (0, import_node_child_process.execFileSync)("docker", ["--version"], { L428: encoding: "utf-8",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/rover-entry.jsView on unpkg · L37
dist/server/cli.jsView file
241for (let i = 0; i < str.length; ++i) { L242: bytes.push(str.charCodeAt(i)); L243: } ... L567: "claude-code", L568: path13.join(process.env.HOME || "/", ".claude", "local", "claude"), L569: path13.join(process.env.HOME || "/", ".local", "bin", "claude"), ... L587: try { L588: require("child_process").execFileSync("which", [command], { stdio: "ignore" }); L589: return true; ... L598: const { L599: workingDir = process.cwd(), L600: dangerouslySkipPermissions = false,
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/server/cli.jsView on unpkg · L241
241Trigger-reachable chain: manifest.bin -> dist/server/cli.js L241: for (let i = 0; i < str.length; ++i) { L242: bytes.push(str.charCodeAt(i)); L243: } ... L567: "claude-code", L568: path13.join(process.env.HOME || "/", ".claude", "local", "claude"), L569: path13.join(process.env.HOME || "/", ".local", "bin", "claude"), ... L587: try { L588: require("child_process").execFileSync("which", [command], { stdio: "ignore" }); L589: return true; ... L598: const { L599: workingDir = process.cwd(), L600: dangerouslySkipPermissions = false,
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/cli.jsView on unpkg · L241
dist/server/council-entry.jsView file
1423} catch (err) { L1424: process.stderr.write(`[launch-council] parse error: ${err} L1425: `); ... L1433: } L1434: var import_node_http2, import_node_path6, import_node_child_process3, import_node_fs6, import_node_os2, SERVER_INFO, TOOLS; L1435: var init_council_mcp = __esm({ ... L1437: "use strict"; L1438: import_node_http2 = __toESM(require("node:http")); L1439: import_node_path6 = require("node:path");
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server/council-entry.jsView on unpkg · L1423
scaffolds/migrate-safety/scripts/migrate-with-backup.shView file
path = scaffolds/migrate-safety/scripts/migrate-with-backup.sh kind = build_helper sizeBytes = 12750 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scaffolds/migrate-safety/scripts/migrate-with-backup.shView on unpkg
dist/server/mood-entry.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @launchsecure/launch-kit@0.0.47 matchedIdentity = npm:[redacted]:0.0.47 similarity = 0.955 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/mood-entry.jsView on unpkg

Findings

3 Critical6 High6 Medium8 Low
CriticalCredential Exfiltrationdist/server/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/cli.js
CriticalPrevious Version Dangerous Deltadist/server/mood-entry.js
HighChild Processdist/server/orbit-entry.js
HighSame File Env Network Executiondist/server/rover-entry.js
HighCommand Output Exfiltrationdist/server/council-entry.js
HighSandbox Evasion Gated Capabilitydist/server/rover-entry.js
HighCross File Remote Execution Contextdist/server/orbit-entry.js
HighRuntime Package Installdist/server/orbit-entry.js
MediumDynamic Requiredist/server/orbit-entry.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/rover-entry.js
MediumShips Build Helperscaffolds/migrate-safety/scripts/migrate-with-backup.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/rover-entry.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings