← Back to Skills Marketplace
doureios39

Preflyt

by doureios39 · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
305
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install preflyt
Description
Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security...
README (SKILL.md)

Preflyt - Post-Deploy Security Scan

After deploying a web app, API, or backend to a public URL, run a Preflyt scan to detect exposed secrets, misconfigurations, and unsafe defaults.

When to use this

  • After deploying a web application to production or staging
  • After deploying a backend API (Node, Python, Go, etc.)
  • After any infrastructure change that exposes a new URL

How to run a scan

npx preflyt-check https://your-deployed-url.com

With options:

# Fail if issues found (for CI/CD)
npx preflyt-check https://your-deployed-url.com --fail

# Generate a shareable report link
npx preflyt-check https://your-deployed-url.com --share

# With Pro license for unlimited scans
npx preflyt-check https://your-deployed-url.com --key YOUR_LICENSE_KEY

Exit codes:

  • 0: scan completed, no issues (or issues found without --fail)
  • 1: issues found with --fail set, or scan error

What it checks

  • Exposed .env and config files (database passwords, API keys)
  • Exposed .git repositories (source code leakage)
  • Exposed backend source code (app.py, server.js, config.php served as static files)
  • Exposed database files (dynamic detection using project name - {name}.db, {name}.sqlite3)
  • Open database ports (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch)
  • Directory listing detection and dangerous file parsing
  • Exposed admin panels and debug endpoints
  • Missing security headers (HSTS, CSP, X-Frame-Options, CORS)
  • Exposed backup files and source maps
  • Server version leakage
  • Insecure cookie flags

What it does NOT do

  • Does not scan source code or local files
  • Does not perform exploit attempts
  • Does not test authentication logic
  • Does not scan localhost or private networks
  • Does not read or transmit any local environment variables, files, or code

Privacy

  • Without --share: all results display in the terminal only. No data is sent to preflyt.dev beyond the initial scan request containing the target URL.
  • With --share: scan results are uploaded to preflyt.dev and a public report link is generated (valid 30 days).
  • The scan sends only the target URL to api.preflyt.dev. No local files, code, or environment variables are transmitted.
  • The npm package is open source and zero-dependency: https://github.com/doureios39/preflyt-check

Integration examples

Deploy script

#!/bin/bash
git pull
npm run build
pm2 restart app
sleep 5
npx preflyt-check https://mysite.com --fail || echo "Security issues found"

Git hook (post-receive)

#!/bin/bash
# .git/hooks/post-receive
git pull
npm run build
pm2 restart app
sleep 5
npx preflyt-check https://mysite.com

GitHub Actions

- name: Security scan
  run: npx preflyt-check ${{ env.DEPLOY_URL }} --fail

Agent behavior

When a deployment to a public URL is detected:

  1. Run npx preflyt-check \x3Cdeployed-url>
  2. If HIGH severity findings exist, recommend immediate fix
  3. If MEDIUM or LOW findings, inform the user and suggest fixes
  4. If no findings, confirm deployment appears safe
  5. Never let a Preflyt error block a deployment - if the scan fails, report the error and move on

Notes

Usage Guidance
This skill is plausible for post-deploy scans but exercise caution before running its 'npx' command on any machine that holds secrets. npx will download and execute code from the npm registry — that code could read files or environment variables despite the SKILL.md's privacy claims. Before installing/using: (1) Verify the npm package and GitHub repo (review the source code and recent commits) and confirm the publisher identity. (2) Prefer running the scan from an isolated runner (ephemeral CI job or container) that has no secrets or sensitive files mounted. (3) Do not use --share unless you trust preflyt.dev and understand the data shared. (4) If you must run locally, consider vendoring or pinning the package version and auditing it, or request the skill author include the scanner code in the skill so it can be statically reviewed. (5) If you need higher assurance, ask the maintainer for a reproducible build or a signed release and for clarification about telemetry and exact network endpoints contacted.
Capability Analysis
Type: OpenClaw Skill Name: preflyt Version: 1.0.1 The 'preflyt' skill is a security utility designed to scan public URLs for common misconfigurations (e.g., exposed .env files, open ports) using the `npx preflyt-check` command. The instructions in SKILL.md and README.md are consistent with its stated purpose of post-deployment verification and do not contain requests for sensitive local data, persistence mechanisms, or malicious prompt injections. While it relies on an external npm package and API (api.preflyt.dev), its behavior is transparently documented and aligned with standard security auditing practices.
Capability Assessment
Purpose & Capability
The name/description (post-deploy external scanner) match the runtime instruction to run 'npx preflyt-check <url>' and the only required binary is node, which is proportionate. Minor inconsistency: registry metadata showed no homepage/source while SKILL.md includes a homepage and GitHub repo; that mismatch reduces trust but doesn't itself prove malicious intent.
Instruction Scope
SKILL.md instructs the agent to run 'npx preflyt-check <url>' and asserts the package is 'read-only' and 'does not read or transmit any local environment variables, files, or code.' In reality npx downloads and executes code from npm on the agent's host with the permissions of the agent process, so the package could read local files or environment variables contrary to the claim. The skill gives privacy assurances (only the target URL sent) that cannot be verified from an instruction-only bundle.
Install Mechanism
No install spec is included; the skill relies on npx at runtime to fetch code from npm. Fetching and executing a package from a public registry is a common pattern but carries moderate risk (remote code execution at runtime). The SKILL.md points to a GitHub repo and npm listing which is expected, but the registry metadata omission of that information is a trust concern.
Credentials
The skill declares no required environment variables or credentials (proportional). However the SKILL.md mentions an optional license key via a CLI flag and promises not to transmit local env/files; because the package executes locally when run via npx, it could access environment variables or files even though none are declared. That mismatch is noteworthy.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform-level privileges. Autonomous invocation is allowed by default (normal). There is no install script in the skill bundle that writes persistent credentials or modifies other skills.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install preflyt
  3. After installation, invoke the skill by name or use /preflyt
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Added privacy section clarifying data handling (no local files transmitted, --share behavior documented). Added verified homepage and source links to metadata. Clarified that the skill does not read or transmit local environment variables, files, or code.
v1.0.0
Initial release - 20+ security checks for deployed web apps
Metadata
Slug preflyt
Version 1.0.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Preflyt?

Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security... It is an AI Agent Skill for Claude Code / OpenClaw, with 305 downloads so far.

How do I install Preflyt?

Run "/install preflyt" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Preflyt free?

Yes, Preflyt is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Preflyt support?

Preflyt is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Preflyt?

It is built and maintained by doureios39 (@doureios39); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments