registry  /  preflight-pro  /  1.0.0-beta.11

preflight-pro@1.0.0-beta.11

The local security gate for AI-generated code.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 633 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.lemonsqueezy.com, api.preflight.dev, json.schemastore.org, openrouter.ai, preflight-proxy.vercel.app, preflight-vibe.vercel.app, preflight.local, www.apple.com, your-dashboard-subdomain.vercel.app

Source & flagged code

8 flagged · loading source
index.jsView file
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https");
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3559const literal = staticMatch[2] || staticMatch[3] || staticMatch[4] || ""; L3560: if (/\b(?:ping|curl|wget|ssh|scp|tar|zip|unzip|rm|cat|ls|cmd|powershell|nslookup)\b/i.test(literal)) { L3561: staticCommandVariables.add(staticMatch[1]);
High
Shell

Package source references shell execution.

index.jsView on unpkg · L3559
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L14: // its target's environment. L15: if (process.env.DOTENV_CONFIG_PATH) { L16: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH, quiet: true });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L3
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L14: // its target's environment. L15: if (process.env.DOTENV_CONFIG_PATH) { L16: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH, quiet: true }); ... L75: } = require("./src/ast/scanner"); L76: const packageJson = require("./package.json"); L77: ... L108: export async function POST(req: NextRequest) { L109: const data = await req.json();
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

index.jsView on unpkg · L3
matchType = previous_version_dangerous_delta matchedPackage = preflight-pro@1.0.0-beta.9 matchedIdentity = npm:cHJlZmxpZ2h0LXBybw:1.0.0-beta.9 similarity = 0.592 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

index.jsView on unpkg
src/daemon/protocol.tsView file
57L58: export function getPreflightSocketPath(targetDir = process.cwd()): string { L59: const hash = crypto.createHash("sha1").update(path.resolve(targetDir).toLowerCase()).digest("hex").slice(0, 12); L60: if (process.platform === "win32") { L61: return `\\\\.\\pipe\\preflight-${hash}`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/daemon/protocol.tsView on unpkg · L57
src/cli/login.jsView file
1const childProcess = require("node:child_process"); L2: const crypto = require("node:crypto"); L3: const http = require("node:http"); L4: const { URL } = require("node:url"); ... L36: L37: const platform = options.platform || process.platform; L38: const command = platform === "win32" ... L121: res.writeHead(404, { "Content-Type": "text/plain; charset=utf-8" }); L122: res.end("Not found"); L123: return; ... L180: const authUrl = buildAuthUrl({ L181: dashboardUrl: options.dashboardUrl || process.env.PREFLIGHT_DASHBOARD_URL || DEFAULT_AUTH_BASE_URL,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/cli/login.jsView on unpkg · L1
wasm/tree-sitter-javascript.wasmView file
path = wasm/tree-sitter-javascript.wasm kind = wasm_module sizeBytes = 411770 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/tree-sitter-javascript.wasmView on unpkg

Findings

6 High4 Medium5 Low
HighChild Processindex.js
HighShellindex.js
HighSame File Env Network Executionindex.js
HighSandbox Evasion Gated Capabilitysrc/cli/login.js
HighCloud Metadata Accessindex.js
HighPrevious Version Dangerous Deltaindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-javascript.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/daemon/protocol.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings