registry  /  @launchsecure/launch-kit  /  0.0.54

@launchsecure/launch-kit@0.0.54

⚠ Under review

LaunchSecure toolkit — launch-sequencer (pipeline runner + terminal bridge), launch-radar (feedback webhook receiver), launch-chart (project graph MCP), launch-deck (visual playground MCP), launch-kit-beacon (feedback Web Component), launch-recall (file-w

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 11.8 MB of source, external domains: 127.0.0.1, api.cloudflare.com, automatewith.us, cdn.jsdelivr.net, chevrotain.io, d3js.org, en.wikipedia.org, fb.me, fetch.spec.whatwg.org, fonts.googleapis.com, get.docker.com, git-scm.com, github.com, github.com.helper, jquery.org, langium.org, launchsecure-v2.vercel.app, mimesniff.spec.whatwg.org, openrouter.ai, orbit.dev, pro.reactflow.dev, radix-ui.com, randomuser.me, reactflow.dev, reactjs.org, revealjs.com, tldrlegal.com, unpkg.com, webidl.spec.whatwg.org, wiredjs.com, www.docker.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/server/orbit-entry.jsView file
35try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd,
High
Child Process

Package source references child process execution.

dist/server/orbit-entry.jsView on unpkg · L35
35Cross-file remote execution chain: dist/server/orbit-entry.js spawns dist/server/graph-mcp-entry.js; helper contains network access plus dynamic code execution. L35: try { L36: return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "HEAD"], { L37: cwd, ... L171: try { L172: const parsed = JSON.parse((0, import_node_fs3.readFileSync)(REGISTRY_PATH, "utf-8")); L173: if (parsed?.version === 1 && parsed.worktrees && typeof parsed.worktrees === "object") { ... L264: init_launch_kit_paths(); L265: REGISTRY_DIR = (0, import_node_path2.join)((0, import_node_os.homedir)(), LAUNCHSECURE_DIR, "orbit"); L266: REGISTRY_PATH = (0, import_node_path2.join)(REGISTRY_DIR, "state.json"); ... L497: const m = /^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$/.exec(ref); L498: if (m) return process.env[m[1]] ?? null; L499: return ref || null;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server/orbit-entry.jsView on unpkg · L35
1594ctx.logger.step(`[build-lint] ${installCmd}`); L1595: const installRes = (0, import_node_child_process6.spawnSync)("bash", ["-c", `cd ${shellQuote2(checkPath)} && ${installCmd}`], { L1596: stdio: ["ignore", "pipe", "pipe"], ... L1607: if ((0, import_node_fs8.existsSync)((0, import_node_path6.join)(checkPath, "prisma", "schema.prisma"))) { L1608: const prismaCmd = "npx prisma generate"; L1609: ctx.logger.step(`[build-lint] ${prismaCmd}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/orbit-entry.jsView on unpkg · L1594
59"use strict"; L60: import_node_child_process = require("node:child_process"); L61: import_node_fs = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/orbit-entry.jsView on unpkg · L59
dist/server/rover-entry.jsView file
2256init_types(); L2257: execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile); L2258: DEFAULT_IMAGE = "ghcr.io/launchsecure/launch-pod:latest"; L2259: GHCR_REGISTRY = "ghcr.io"; L2260: GHCR_USERNAME = process.env.GHCR_PULL_USERNAME ?? "ghcr-pull"; L2261: MANAGED_LABEL = "launch-rover.managed"; ... L2270: if (port == null || !Number.isFinite(port) || port <= 0) return null; L2271: return `http://127.0.0.1:${port}`; L2272: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/rover-entry.jsView on unpkg · L2256
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L437: publicBase: "", L438: studioCwd: process.cwd(), L439: studioModel: "",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L437: publicBase: "", L438: studioCwd: process.cwd(), L439: studioModel: "",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/server/rover-entry.jsView on unpkg · L37
37async function cf(opts) { L38: const res = await fetch(`${CF_API_BASE}${opts.path}`, { L39: method: opts.method, ... L45: }, L46: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0, L47: signal: AbortSignal.timeout(15e3) L48: }); L49: const text = await res.text(); L50: try { ... L437: publicBase: "", L438: studioCwd: process.cwd(), L439: studioModel: "",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/rover-entry.jsView on unpkg · L37
scaffolds/migrate-safety/scripts/migrate-with-backup.shView file
path = scaffolds/migrate-safety/scripts/migrate-with-backup.sh kind = build_helper sizeBytes = 12750 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scaffolds/migrate-safety/scripts/migrate-with-backup.shView on unpkg
dist/server/council-entry.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @launchsecure/launch-kit@0.0.48 matchedIdentity = npm:[redacted]:0.0.48 similarity = 0.848 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/council-entry.jsView on unpkg

Findings

1 Critical5 High6 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/server/council-entry.js
HighChild Processdist/server/orbit-entry.js
HighSame File Env Network Executiondist/server/rover-entry.js
HighSandbox Evasion Gated Capabilitydist/server/rover-entry.js
HighCross File Remote Execution Contextdist/server/orbit-entry.js
HighRuntime Package Installdist/server/orbit-entry.js
MediumDynamic Requiredist/server/orbit-entry.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/server/rover-entry.js
MediumShips Build Helperscaffolds/migrate-safety/scripts/migrate-with-backup.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/rover-entry.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings