Anyone concerned about the security

[ahkow35]

I ran an security of this git via cc and found this:

ruvnet/ruflo Security Audit

Project: RuFlo v3.5.15 — multi-agent AI orchestration platform (TypeScript/Node.js, SvelteKit UI, Docker Compose, MCP server). Claims "enterprise-grade security" — does not deliver
it.

---

CRITICAL (4 findings)

1. Unauthenticated MCP endpoints — any network actor can POST to /mcp/* and trigger arbitrary tool execution. Zero auth required.
2. Autopilot blocklist regex bypass — browser_fill$ doesn't block browser_fill_form; pattern trivially evaded.
3. SSRF via user-configurable URLs — no allowlist, no private IP blocking; attackers can probe Docker-internal services and cloud metadata endpoints (AWS 169.254.169.254 etc).
4. Prototype pollution — { ...req.body } spreads unsanitized user JSON, including proto and constructor keys.

---

HIGH (8 findings)

• Full process.env (all API keys) passed to every spawned child process — any compromised npm package gets everything
• No rate limiting anywhere — DoS via API quota exhaustion or memory flooding
• WebSocket auth disabled by default — all deployments without explicit config are fully open
• No WebSocket Origin validation → Cross-Site WebSocket Hijacking
• CORS wildcard + credentials: true — XSS on any subdomain = full credential theft
• nginx missing all security headers (X-Frame-Options, CSP, HSTS) and injects a <script> tag into all HTML
• GitHub Actions expression injection — ${{ matrix.count }} in inline JS can exfiltrate NPM_TOKEN and repo secrets
• npm audit || true everywhere — CVEs never block builds or publishing

---

MEDIUM (10 findings)

MongoDB port 27017 exposed on the Docker host with no auth; Math.random() for session IDs; path traversal via symlink; no inter-node auth in federation; memory search not scoped by
user identity; curl-pipe-bash install with no checksum.

---

Key Irony

The internal security module (@claude-flow/security/) is actually well-built — bcrypt cost 12, timing-safe comparisons, allowlisted commands. It just isn't applied to the
external-facing MCP bridge or nginx layer.

---

Do not deploy this to production as-is. The default configuration is exploitable without credentials from anywhere on the network.

[Oliver-Johnson]

Have you tried fixing any of these?... Just thought I'd ask before I give it a go myself.

[kevinha98]

im unable to download zip due to virus

[roman-rr]

Your security concerns are well-founded. We ran an independent audit and found additional issues beyond what you've listed:

Security findings from our audit:

1. verifySignature() returns true unconditionally — in RaftConsensus.js, the Byzantine/Raft consensus has no actual cryptographic verification. Comment in source: 'In real implementation, verify with sender's public key.'

2. hive-mind spawn --claude uses --dangerously-skip-permissions — the entire hive-mind spawns Claude CLI processes with all safety checks disabled.

3. 97% of 'security' tools are stubs — aidefence_scan, security scan, etc. register but most don't perform actual analysis.

4. Intelligence layer reads/writes 100+ MB of state files per session — graph-state.json (100 MB), ranked-context.json (8.7 MB), auto-memory-store.json (5.9 MB) — all on local disk with no encryption.

5. Token Optimizer metrics fabricated — claimed '30-50% savings' but source code shows this.stats.totalTokensSaved += 100 (hardcoded) and await this.sleep(352) as benchmark baseline.

The security audit in issue #1375 was closed by the maintainer. The concerns remain unaddressed in v3.5.51.

Full audit: Independent Audit