I've been building Ghost Architect — an AI-powered codebase triage tool. To prove it works on real code, I pointed it at a well-known public Magento 2 extension used by thousands of stores: the Meta for Magento 2 Facebook Business Extension.
I didn't cherry-pick the results. Here's what came back.
The scan
658 files analyzed
18 architectural findings surfaced
Cost: $0.2372 in Anthropic API usage
Time: under 10 minutes
Finding #1 — Critical: Client-Side Credential Exposure
The FBE installation flow returns Meta OAuth access tokens in JSON responses and stores them in window.facebookBusinessExtensionConfig. The fbe_installs.js script then uses these tokens to make Graph API calls directly from the browser.
Attack vectors: DevTools inspection, XSS anywhere in Magento, CDN caching, session replay tools.
Estimated fix: 8-12 hours.
Finding #9 — Critical: Ad Spend Inflation Race Condition
A race condition in event ID deduplication causes 10-20% duplicate Conversion API events — inflating Meta ad spend by thousands monthly. Ghost flagged this as the most expensive bug in the codebase.
Estimated fix: 10-14 hours.
Finding #3 — High: Mass Assignment Configuration Vulnerability
The PersistConfiguration controller accepts arbitrary POST parameters and saves them directly to core_config_data without validation. Combined with missing CSRF protection, any system configuration value is writable by an attacker.
Estimated fix: 6-8 hours.
What Ghost doesn't do
These are pattern-based starting points — not proven exploits. Ghost doesn't run dynamic analysis or confirm vulnerabilities are exploitable. It gives your engineers a map of where to look, not a penetration test report.
Try it yourself
Ghost Open is free and runs locally. Your code never leaves your machine.
npm i -g ghost-architect-open
Full output — PDF, multipass analysis, all severity levels — is Ghost Pro at ghostarchitect.dev.
Top comments (0)