registry  /  loupe-flightdeck  /  0.0.22

loupe-flightdeck@0.0.22

Turn your stream deck into a flight deck!

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network activity is limited to configurable X-Plane UDP control and Loupedeck device interaction.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the loupe-flightdeck CLI; postinstall runs patch-package during npm installation.
Impact
Controls the user-selected flight simulator endpoint and connected Loupedeck hardware as the application’s stated purpose.
Mechanism
Local profile rendering, hardware control, and X-Plane UDP commands
Rationale
Source inspection shows a flight-deck CLI with a bounded patch-package postinstall and user-invoked UDP simulator control. Dynamic profile evaluation is a documented package feature, but no concrete exfiltration, stealth persistence, destructive action, or foreign control-surface mutation is present.
Evidence
package.jsondist/app.jsdist/xplane.jsdist/graphics.jspatches/loupedeck+7.0.3.patchscripts/loupe-flightdeck.serviceprofile.yamlfont.ttfscripts/50-loupedeck.rules
Network endpoints1
localhost:49000

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall: patch-package
  • patches/loupedeck+7.0.3.patch modifies loupedeck serial close behavior
  • dist/graphics.js evaluates expressions from runtime YAML with Function()
Evidence against
  • Postinstall applies a bounded local dependency patch; no shell or network command
  • dist/app.js only reads the chosen YAML profile and bundled font
  • No credential harvesting, file writes, subprocess execution, or exfiltration found
  • dist/xplane.js uses UDP for the declared X-Plane control protocol, defaulting to localhost:49000
  • scripts/loupe-flightdeck.service and scripts/50-loupedeck.rules require explicit user copying/install
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 5 file(s), 64.0 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = patch-package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = patch-package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License