🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Preflyt

by @doureios39

Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security...

Versionv1.0.1
Downloads554
TERMINAL
clawhub install preflyt

πŸ“– About This Skill


name: preflyt description: >- Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security headers, .git exposure, directory listings, and more. Non-intrusive, read-only. metadata: openclaw: emoji: "πŸ”’" requires: bins: ["node"] homepage: https://preflyt.dev source: https://github.com/doureios39/preflyt-check

Preflyt - Post-Deploy Security Scan

After deploying a web app, API, or backend to a public URL, run a Preflyt scan to detect exposed secrets, misconfigurations, and unsafe defaults.

When to use this

  • After deploying a web application to production or staging
  • After deploying a backend API (Node, Python, Go, etc.)
  • After any infrastructure change that exposes a new URL
  • How to run a scan

    npx preflyt-check https://your-deployed-url.com
    

    With options:

    # Fail if issues found (for CI/CD)
    npx preflyt-check https://your-deployed-url.com --fail

    Generate a shareable report link

    npx preflyt-check https://your-deployed-url.com --share

    With Pro license for unlimited scans

    npx preflyt-check https://your-deployed-url.com --key YOUR_LICENSE_KEY

    Exit codes:

  • 0: scan completed, no issues (or issues found without --fail)
  • 1: issues found with --fail set, or scan error
  • What it checks

  • Exposed .env and config files (database passwords, API keys)
  • Exposed .git repositories (source code leakage)
  • Exposed backend source code (app.py, server.js, config.php served as static files)
  • Exposed database files (dynamic detection using project name - {name}.db, {name}.sqlite3)
  • Open database ports (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch)
  • Directory listing detection and dangerous file parsing
  • Exposed admin panels and debug endpoints
  • Missing security headers (HSTS, CSP, X-Frame-Options, CORS)
  • Exposed backup files and source maps
  • Server version leakage
  • Insecure cookie flags
  • What it does NOT do

  • Does not scan source code or local files
  • Does not perform exploit attempts
  • Does not test authentication logic
  • Does not scan localhost or private networks
  • Does not read or transmit any local environment variables, files, or code
  • Privacy

  • Without --share: all results display in the terminal only. No data is sent to preflyt.dev beyond the initial scan request containing the target URL.
  • With --share: scan results are uploaded to preflyt.dev and a public report link is generated (valid 30 days).
  • The scan sends only the target URL to api.preflyt.dev. No local files, code, or environment variables are transmitted.
  • The npm package is open source and zero-dependency: https://github.com/doureios39/preflyt-check
  • Integration examples

    Deploy script

    #!/bin/bash
    git pull
    npm run build
    pm2 restart app
    sleep 5
    npx preflyt-check https://mysite.com --fail || echo "Security issues found"
    

    Git hook (post-receive)

    #!/bin/bash
    

    .git/hooks/post-receive

    git pull npm run build pm2 restart app sleep 5 npx preflyt-check https://mysite.com

    GitHub Actions

    - name: Security scan
      run: npx preflyt-check ${{ env.DEPLOY_URL }} --fail
    

    Agent behavior

    When a deployment to a public URL is detected: 1. Run npx preflyt-check 2. If HIGH severity findings exist, recommend immediate fix 3. If MEDIUM or LOW findings, inform the user and suggest fixes 4. If no findings, confirm deployment appears safe 5. Never let a Preflyt error block a deployment - if the scan fails, report the error and move on

    Notes

  • All checks are read-only and non-intrusive
  • Scans take approximately 15-30 seconds
  • Free tier: 3 scans. Pro ($9.99/mo): unlimited
  • Website: https://preflyt.dev
  • npm: https://www.npmjs.com/package/preflyt-check
  • Source: https://github.com/doureios39/preflyt-check
  • πŸ“‹ Tips & Best Practices

  • All checks are read-only and non-intrusive
  • Scans take approximately 15-30 seconds
  • Free tier: 3 scans. Pro ($9.99/mo): unlimited
  • Website: https://preflyt.dev
  • npm: https://www.npmjs.com/package/preflyt-check
  • Source: https://github.com/doureios39/preflyt-check