AI Security Review
scanned 40m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs explicit, interactive project scaffolding and installs named development dependencies only after a user runs its commands and selects options.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `fring new` or confirms `fring add table`.
Impact
Creates or modifies the selected project directory and may install selected public dependencies; no unconsented install-time action or data exfiltration is established.
Mechanism
Interactive scaffolding, template copying, and named package-manager subprocesses.
Rationale
Scanner shell/install signals map to documented CLI scaffolding operations and are gated by explicit user commands and prompts. Source inspection found no lifecycle execution, credential harvesting, remote payload mechanism, persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jstemplates/utils/api.txttemplates/constants/env.txttemplates/auth/auth-store.txt<user project>/src/**<user project>/public/**
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall hooks.
- `dist/index.js` is a user-invoked `fring` CLI with `new`, `add`, `generate`, and `doctor` commands.
- Runtime package-manager calls are explicit scaffolding actions: `create-next-app`, selected dependencies, and optional shadcn setup.
- File writes copy bundled templates into the user-selected new/existing project; no home-directory or credential-file access found.
- No fetch/network client, eval/vm, dynamic code loading, shell-string execution, or AI-agent configuration writes found in packaged CLI.
- `templates/utils/api.txt` configures a generated Axios client from a user-supplied environment URL; it contains no hard-coded endpoint or exfiltration path.
Behavioral surface
FilesystemShell
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
76// src/services/project-creator.ts
L77: import { execa } from "execa";
L78:
High
488if (this.options.packageManager === "pnpm") {
L489: await execa("pnpm", ["dlx", "shadcn@latest", "init"], {
L490: cwd: this.options.projectName,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L488Findings
2 High2 Low
HighShelldist/index.js
HighRuntime Package Installdist/index.js
LowScripts Present
LowFilesystem