AI Security Review
scanned 2m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a project generator CLI; shell/package-manager use is user-invoked scaffolding behavior rather than install-time execution.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the fring CLI commands such as project creation or table generation.
Impact
Creates or modifies files under the user-selected project directory and may install declared optional frontend dependencies.
Mechanism
Interactive project scaffolding and optional dependency installation
Rationale
Static source inspection shows expected CLI scaffolding behavior with user prompts and no lifecycle hook, credential harvesting, persistence, or exfiltration path. Scanner hits on execa/package installs are explained by project generation and optional dependency setup.
Evidence
package.jsondist/index.jstemplates/auth/auth-store.txttemplates/constants/env.txttemplates/utils/api.txtREADME.md
Network endpoints3
github.com/heisenberg-xx/fringgit+https://github.com/heisenberg-xx/fring.gitlocalhost:3000/fring/table
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin fring -> dist/index.js.
- dist/index.js is an interactive scaffold CLI that prompts before optional installs and writes into the requested project path.
- execa calls run package-aligned commands: create-next-app, dependency installs, shadcn init/add, git --version/status.
- Template token/secret references are generated app code, not harvesting or exfiltration by this package.
- No fetch/http client calls or hardcoded exfiltration endpoints found in package runtime source.
Behavioral surface
FilesystemShell
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
76// src/services/project-creator.ts
L77: import { execa } from "execa";
L78:
High
471if (this.options.packageManager === "pnpm") {
L472: await execa("pnpm", ["dlx", "shadcn@latest", "init"], {
L473: cwd: this.options.projectName,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L471Findings
2 High2 Low
HighShelldist/index.js
HighRuntime Package Installdist/index.js
LowScripts Present
LowFilesystem