registry  /  @pinfix/plugin  /  1.2.0

@pinfix/plugin@1.2.0

Visual UI annotation overlay for Claude Code-powered source editing in dev servers.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User installs, configures the plugin, and starts a development server; then sends an overlay request.
Impact
User-authored overlay prompts can cause the configured Claude Code session to modify the active project.
Mechanism
Local WebSocket bridge to a Claude Agent SDK session with automatic permissions.
Rationale
No concrete malicious chain is established, but the package deliberately exposes an auto-permission coding agent through a local browser overlay. Flag as a warning for dangerous capability rather than block as malware.
Evidence
package.jsondist/chunk-XCBM54EQ.jsdist/channel-server.jsdist/overlay.iife.global.jsREADME.mdnode_modules/.cache/pinfix/server.pid
Network endpoints1
ws://localhost:<port>

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/channel-server.js` starts Claude Agent SDK with `permissionMode: "auto"` in the project cwd.
  • Browser WebSocket messages supply source locations, prompts, and chat content to that agent session.
  • `dist/chunk-XCBM54EQ.js` auto-spawns the bundled helper when the configured dev server runs.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • The only runtime endpoint is localhost WebSocket transport (`ws://localhost:<port>`).
  • No package code shows credential harvesting, remote HTTP upload, eval, or foreign AI-agent config writes.
  • Filesystem writes are limited to `node_modules/.cache/pinfix/server.pid` lifecycle cleanup.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 406 KB of source, external domains: docs.python.org, github.com, tc39.es

Source & flagged code

2 flagged · loading source
dist/chunk-XCBM54EQ.jsView file
167// src/server.ts L168: import { spawn } from "child_process"; L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-XCBM54EQ.jsView on unpkg · L167
29Cross-file remote execution chain: dist/chunk-XCBM54EQ.js spawns dist/overlay.iife.global.js; helper contains network access plus dynamic code execution. L29: const [filePath, query] = id.split("?", 2); L30: const params = new URLSearchParams(query || ""); L31: if (filePath.endsWith(".vue") && (params.get("lang") === "tsx" || params.get("lang") === "jsx")) { ... L167: // src/server.ts L168: import { spawn } from "child_process"; L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs"; ... L176: function getRuntimeDir() { L177: return typeof __dirname === "string" ? __dirname : dirname(fileURLToPath(import.meta.url)); L178: } ... L209: env: { L210: ...process.env, L211: PINFIX_PORT: String(options.port),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-XCBM54EQ.jsView on unpkg · L29

Findings

3 High1 Medium4 Low
HighChild Processdist/chunk-XCBM54EQ.js
HighShell
HighCross File Remote Execution Contextdist/chunk-XCBM54EQ.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings