registry  /  fring-dev  /  0.2.1

fring-dev@0.2.1

Build scalable applications with a consistent architecture.

AI Security Review

scanned 40m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs explicit, interactive project scaffolding and installs named development dependencies only after a user runs its commands and selects options.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `fring new` or confirms `fring add table`.
Impact
Creates or modifies the selected project directory and may install selected public dependencies; no unconsented install-time action or data exfiltration is established.
Mechanism
Interactive scaffolding, template copying, and named package-manager subprocesses.
Rationale
Scanner shell/install signals map to documented CLI scaffolding operations and are gated by explicit user commands and prompts. Source inspection found no lifecycle execution, credential harvesting, remote payload mechanism, persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jstemplates/utils/api.txttemplates/constants/env.txttemplates/auth/auth-store.txt<user project>/src/**<user project>/public/**

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks.
    • `dist/index.js` is a user-invoked `fring` CLI with `new`, `add`, `generate`, and `doctor` commands.
    • Runtime package-manager calls are explicit scaffolding actions: `create-next-app`, selected dependencies, and optional shadcn setup.
    • File writes copy bundled templates into the user-selected new/existing project; no home-directory or credential-file access found.
    • No fetch/network client, eval/vm, dynamic code loading, shell-string execution, or AI-agent configuration writes found in packaged CLI.
    • `templates/utils/api.txt` configures a generated Axios client from a user-supplied environment URL; it contains no hard-coded endpoint or exfiltration path.
    Behavioral surface
    Source
    FilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 28.9 KB of source

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    76// src/services/project-creator.ts L77: import { execa } from "execa"; L78:
    High
    Shell

    Package source references shell execution.

    dist/index.jsView on unpkg · L76
    488if (this.options.packageManager === "pnpm") { L489: await execa("pnpm", ["dlx", "shadcn@latest", "init"], { L490: cwd: this.options.projectName,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L488

    Findings

    2 High2 Low
    HighShelldist/index.js
    HighRuntime Package Installdist/index.js
    LowScripts Present
    LowFilesystem