Anyone concerned about the security

[ahkow35]

I ran an security of this git via cc and found this:

ruvnet/ruflo Security Audit

Project: RuFlo v3.5.15 — multi-agent AI orchestration platform (TypeScript/Node.js, SvelteKit UI, Docker Compose, MCP server). Claims "enterprise-grade security" — does not deliver
it.

---

CRITICAL (4 findings)

1. Unauthenticated MCP endpoints — any network actor can POST to /mcp/* and trigger arbitrary tool execution. Zero auth required.
2. Autopilot blocklist regex bypass — browser_fill$ doesn't block browser_fill_form; pattern trivially evaded.
3. SSRF via user-configurable URLs — no allowlist, no private IP blocking; attackers can probe Docker-internal services and cloud metadata endpoints (AWS 169.254.169.254 etc).
4. Prototype pollution — { ...req.body } spreads unsanitized user JSON, including proto and constructor keys.

---

HIGH (8 findings)

• Full process.env (all API keys) passed to every spawned child process — any compromised npm package gets everything
• No rate limiting anywhere — DoS via API quota exhaustion or memory flooding
• WebSocket auth disabled by default — all deployments without explicit config are fully open
• No WebSocket Origin validation → Cross-Site WebSocket Hijacking
• CORS wildcard + credentials: true — XSS on any subdomain = full credential theft
• nginx missing all security headers (X-Frame-Options, CSP, HSTS) and injects a <script> tag into all HTML
• GitHub Actions expression injection — ${{ matrix.count }} in inline JS can exfiltrate NPM_TOKEN and repo secrets
• npm audit || true everywhere — CVEs never block builds or publishing

---

MEDIUM (10 findings)

MongoDB port 27017 exposed on the Docker host with no auth; Math.random() for session IDs; path traversal via symlink; no inter-node auth in federation; memory search not scoped by
user identity; curl-pipe-bash install with no checksum.

---

Key Irony

The internal security module (@claude-flow/security/) is actually well-built — bcrypt cost 12, timing-safe comparisons, allowlisted commands. It just isn't applied to the
external-facing MCP bridge or nginx layer.

---

Do not deploy this to production as-is. The default configuration is exploitable without credentials from anywhere on the network.

[Oliver-Johnson]

Have you tried fixing any of these?... Just thought I'd ask before I give it a go myself.