I Scanned a Real Public Magento Extension with AI — Here's What It Found

EJ Wisner — Mon, 13 Apr 2026 14:03:31 +0000

I've been building Ghost Architect — an AI-powered codebase triage tool. To prove it works on real code, I pointed it at a well-known public Magento 2 extension used by thousands of stores: the Meta for Magento 2 Facebook Business Extension.
I didn't cherry-pick the results. Here's what came back.
The scan

658 files analyzed
18 architectural findings surfaced
Cost: $0.2372 in Anthropic API usage
Time: under 10 minutes

Finding #1 — Critical: Client-Side Credential Exposure
The FBE installation flow returns Meta OAuth access tokens in JSON responses and stores them in window.facebookBusinessExtensionConfig. The fbe_installs.js script then uses these tokens to make Graph API calls directly from the browser.
Attack vectors: DevTools inspection, XSS anywhere in Magento, CDN caching, session replay tools.
Estimated fix: 8-12 hours.
Finding #9 — Critical: Ad Spend Inflation Race Condition
A race condition in event ID deduplication causes 10-20% duplicate Conversion API events — inflating Meta ad spend by thousands monthly. Ghost flagged this as the most expensive bug in the codebase.
Estimated fix: 10-14 hours.
Finding #3 — High: Mass Assignment Configuration Vulnerability
The PersistConfiguration controller accepts arbitrary POST parameters and saves them directly to core_config_data without validation. Combined with missing CSRF protection, any system configuration value is writable by an attacker.
Estimated fix: 6-8 hours.
What Ghost doesn't do
These are pattern-based starting points — not proven exploits. Ghost doesn't run dynamic analysis or confirm vulnerabilities are exploitable. It gives your engineers a map of where to look, not a penetration test report.
Try it yourself
Ghost Open is free and runs locally. Your code never leaves your machine.
npm i -g ghost-architect-open
Full output — PDF, multipass analysis, all severity levels — is Ghost Pro at ghostarchitect.dev.

I ran my AI codebase triage tool on itself — here's what it found

EJ Wisner — Mon, 06 Apr 2026 20:28:29 +0000

I built Ghost Architect™ Open — a free, local AI tool that triages codebases and scores findings by severity. To test it properly, I ran it on its own source code.

It found a Critical bug.

The finding

The redaction engine — the module that strips API keys and secrets before sending code to Claude — had a pointer offset bug. When replacing a secret pattern, it wasn't advancing the scan position after each replacement. On files with 50+ environment variables, it would stop redacting halfway through.

Users were seeing "Redacted 12 patterns" and assuming their code was safe. Pattern 13 was their database password.

The bug was fixed the same day. That's the point — you can't fix what you can't see.

What Ghost Architect™ Open does

Points at any local directory, ZIP file, or GitHub repo
Triages the code and scores findings: Critical, High, Medium, Low
Runs entirely on your machine — your code never leaves
Uses the Anthropic API with your own key (new accounts get a $5 credit)
Supports PHP, Python, Node.js, Java, Go, React, and more

Free vs Pro

Ghost Open is free. It returns Critical and High findings in TXT and Markdown format.

Ghost Pro adds Medium and Low findings, multipass analysis, project intelligence, and full PDF reports.

Try it

GitHub: https://github.com/EJWisner/ghost-architect-open