registry  /  preflight-pro  /  1.0.0-beta.9

preflight-pro@1.0.0-beta.9

The local security gate for AI-generated code.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a security scanner/remediation CLI with user-invoked network, filesystem patching, git hook, and MCP setup features.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs preflight commands such as scan, apply-fix, init, install-mcp, login, or mcp.
Impact
Can modify scanned project files or local tool configs only through explicit CLI workflows; no unconsented install/import-time attack was found.
Mechanism
User-invoked security scanning, remediation, telemetry, licensing, and MCP configuration
Rationale
Static inspection found powerful CLI capabilities, but they are package-aligned and gated behind explicit user commands with no lifecycle hook, import-time execution, credential harvesting, or hidden exfiltration. Scanner hints about metadata access and malicious delta are not supported by the reviewed source.
Evidence
package.jsoncli.jsindex.jssrc/cli/index.tssrc/commands/init.tssrc/cli/login.jssrc/telemetry/cloudReporter.jssrc/licensing/licenseManager.jssrc/router/cloud.jssrc/remediation/patcher.tssrc/release-gate/patcher.tssrc/router/hardware.js~/.preflight/config.json~/.preflight-config.json.vscode/mcp.json~/.cursor/mcp.jsonClaude/claude_desktop_config.jsongit hooks/pre-commitscanned project files during requested fixes
Network endpoints5
api.lemonsqueezy.com/v1/licenses/activateapi.lemonsqueezy.com/v1/licenses/validatepreflight-proxy.vercel.app/api/v1/license/validatepreflight-vibe.vercel.appapi.preflight.dev/api/v1/telemetry/report

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/cli/index.ts and index.js include explicit install-mcp commands that write AI-client MCP config files.
  • src/telemetry/cloudReporter.js can POST scan findings and repo metadata when a license key and findings exist.
  • src/router/cloud.js, src/remediation/patcher.ts, and src/release-gate/patcher.ts send source/diffs to PreFlight remediation endpoints for requested fixes.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • cli.js only loads src/cli/index.ts main; no import-time payload beyond CLI dispatch.
  • MCP config writes are behind explicit install/init commands, not install-time or hidden execution.
  • Network endpoints are product-aligned: licensing, login, telemetry, and remediation proxy.
  • No credential harvesting, cloud metadata request, persistence, destructive payload, or dependency confusion behavior confirmed in source.
  • child_process use is package-aligned: git hook setup, npm audit, browser open, clipboard, daemon/legacy CLI, and hardware probe.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 552 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.lemonsqueezy.com, api.preflight.dev, json.schemastore.org, openrouter.ai, preflight-proxy.vercel.app, preflight-vibe.vercel.app, preflight.local, waitlister.me, www.apple.com, your-dashboard-subdomain.vercel.app

Source & flagged code

8 flagged · loading source
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = preflight-pro@1.0.0-beta.8 matchedIdentity = npm:cHJlZmxpZ2h0LXBybw:1.0.0-beta.8 similarity = 0.735 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

index.jsView on unpkg
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https");
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3430const literal = staticMatch[2] || staticMatch[3] || staticMatch[4] || ""; L3431: if (/\b(?:ping|curl|wget|ssh|scp|tar|zip|unzip|rm|cat|ls|cmd|powershell|nslookup)\b/i.test(literal)) { L3432: staticCommandVariables.add(staticMatch[1]);
High
Shell

Package source references shell execution.

index.jsView on unpkg · L3430
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L9: const { promisify } = require("node:util"); L10: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH || undefined, quiet: true }); L11: const { Command } = require("commander");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L3
3const fs = require("node:fs/promises"); L4: const { execFile, execSync } = require("node:child_process"); L5: const https = require("node:https"); L6: const os = require("node:os"); ... L9: const { promisify } = require("node:util"); L10: require("dotenv").config({ path: process.env.DOTENV_CONFIG_PATH || undefined, quiet: true }); L11: const { Command } = require("commander"); ... L64: } = require("./src/ast/scanner"); L65: const packageJson = require("./package.json"); L66: ... L89: export async function POST(req: NextRequest) { L90: const data = await req.json();
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

index.jsView on unpkg · L3
src/daemon/protocol.tsView file
57L58: export function getPreflightSocketPath(targetDir = process.cwd()): string { L59: const hash = crypto.createHash("sha1").update(path.resolve(targetDir).toLowerCase()).digest("hex").slice(0, 12); L60: if (process.platform === "win32") { L61: return `\\\\.\\pipe\\preflight-${hash}`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/daemon/protocol.tsView on unpkg · L57
src/cli/login.jsView file
1const childProcess = require("node:child_process"); L2: const crypto = require("node:crypto"); L3: const http = require("node:http"); L4: const { URL } = require("node:url"); ... L36: L37: const platform = options.platform || process.platform; L38: const command = platform === "win32" ... L121: res.writeHead(404, { "Content-Type": "text/plain; charset=utf-8" }); L122: res.end("Not found"); L123: return; ... L180: const authUrl = buildAuthUrl({ L181: dashboardUrl: options.dashboardUrl || process.env.PREFLIGHT_DASHBOARD_URL || DEFAULT_AUTH_BASE_URL,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/cli/login.jsView on unpkg · L1
wasm/tree-sitter-javascript.wasmView file
path = wasm/tree-sitter-javascript.wasm kind = wasm_module sizeBytes = 411770 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/tree-sitter-javascript.wasmView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltaindex.js
HighChild Processindex.js
HighShellindex.js
HighSame File Env Network Executionindex.js
HighSandbox Evasion Gated Capabilitysrc/cli/login.js
HighCloud Metadata Accessindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-javascript.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/daemon/protocol.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings