registry  /  preflight-pro  /  1.0.0-beta.8

preflight-pro@1.0.0-beta.8

The local security gate for AI-generated code.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 511 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.lemonsqueezy.com, api.preflight.dev, json.schemastore.org, openrouter.ai, preflight-proxy.vercel.app, preflight-vibe.vercel.app, preflight.local, waitlister.me, www.apple.com, your-dashboard-subdomain.vercel.app

Source & flagged code

7 flagged · loading source
index.jsView file
3const fs = require("node:fs/promises"); L4: const { execFile } = require("node:child_process"); L5: const https = require("node:https");
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3const fs = require("node:fs/promises"); L4: const { execFile } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L9: const { promisify } = require("node:util"); L10: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH || undefined, quiet: true }); L11: const { Command } = require("commander");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L3
3const fs = require("node:fs/promises"); L4: const { execFile } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L9: const { promisify } = require("node:util"); L10: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH || undefined, quiet: true }); L11: const { Command } = require("commander"); ... L64: } = require("./src/ast/scanner"); L65: const packageJson = require("./package.json"); L66: ... L89: export async function POST(req: NextRequest) { L90: const data = await req.json();
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

index.jsView on unpkg · L3
src/cli/start.tsView file
101"Set WshShell = CreateObject(\"WScript.Shell\")", L102: `WshShell.Run "cmd.exe /d /s /c ""${escapeVbsString(command)}""", 0, False`, L103: ""
High
Shell

Package source references shell execution.

src/cli/start.tsView on unpkg · L101
src/daemon/protocol.tsView file
57L58: export function getPreflightSocketPath(targetDir = process.cwd()): string { L59: const hash = crypto.createHash("sha1").update(path.resolve(targetDir).toLowerCase()).digest("hex").slice(0, 12); L60: if (process.platform === "win32") { L61: return `\\\\.\\pipe\\preflight-${hash}`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/daemon/protocol.tsView on unpkg · L57
src/cli/login.jsView file
1const childProcess = require("node:child_process"); L2: const crypto = require("node:crypto"); L3: const http = require("node:http"); L4: const { URL } = require("node:url"); ... L36: L37: const platform = options.platform || process.platform; L38: const command = platform === "win32" ... L121: res.writeHead(404, { "Content-Type": "text/plain; charset=utf-8" }); L122: res.end("Not found"); L123: return; ... L180: const authUrl = buildAuthUrl({ L181: dashboardUrl: options.dashboardUrl || process.env.PREFLIGHT_DASHBOARD_URL || DEFAULT_AUTH_BASE_URL,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/cli/login.jsView on unpkg · L1
wasm/tree-sitter-javascript.wasmView file
path = wasm/tree-sitter-javascript.wasm kind = wasm_module sizeBytes = 411770 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/tree-sitter-javascript.wasmView on unpkg

Findings

5 High4 Medium5 Low
HighChild Processindex.js
HighShellsrc/cli/start.ts
HighSame File Env Network Executionindex.js
HighSandbox Evasion Gated Capabilitysrc/cli/login.js
HighCloud Metadata Accessindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-javascript.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/daemon/protocol.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings