AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network activity is limited to configurable X-Plane UDP control and Loupedeck device interaction.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the loupe-flightdeck CLI; postinstall runs patch-package during npm installation.
Impact
Controls the user-selected flight simulator endpoint and connected Loupedeck hardware as the application’s stated purpose.
Mechanism
Local profile rendering, hardware control, and X-Plane UDP commands
Rationale
Source inspection shows a flight-deck CLI with a bounded patch-package postinstall and user-invoked UDP simulator control. Dynamic profile evaluation is a documented package feature, but no concrete exfiltration, stealth persistence, destructive action, or foreign control-surface mutation is present.
Evidence
package.jsondist/app.jsdist/xplane.jsdist/graphics.jspatches/loupedeck+7.0.3.patchscripts/loupe-flightdeck.serviceprofile.yamlfont.ttfscripts/50-loupedeck.rules
Network endpoints1
localhost:49000
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has postinstall: patch-package
- patches/loupedeck+7.0.3.patch modifies loupedeck serial close behavior
- dist/graphics.js evaluates expressions from runtime YAML with Function()
Evidence against
- Postinstall applies a bounded local dependency patch; no shell or network command
- dist/app.js only reads the chosen YAML profile and bundled font
- No credential harvesting, file writes, subprocess execution, or exfiltration found
- dist/xplane.js uses UDP for the declared X-Plane control protocol, defaulting to localhost:49000
- scripts/loupe-flightdeck.service and scripts/50-loupedeck.rules require explicit user copying/install
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = patch-package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = patch-package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License