registry  /  pingfusi  /  0.2.0

pingfusi@0.2.0

pingfusi: clone websites pixel-perfect and polish any AI-built draft, verified with review rounds. Enforced, gated workflow — a green check is a command that exits 0, never a screenshot.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 419 KB of source, external domains: 127.0.0.1, cdn.example.com, developers.cloudflare.com, docs.claude.com, engines-pad-firewire-investing.trycloudflare.com, example.com, nodejs.org, pingfusi.com, www.w3.org, x.trycloudflare.com

Source & flagged code

4 flagged · loading source
tools/cli-selftest.jsView file
16const path = require("path"); L17: const cp = require("child_process"); L18:
High
Child Process

Package source references child process execution.

tools/cli-selftest.jsView on unpkg · L16
7Cross-file remote execution chain: tools/cli-selftest.js spawns harness/serve.js; helper contains network access plus dynamic code execution. L7: * loudly with a self-describing, actionable message (never a raw stack), and use stable L8: * exit codes. Each assertion here is a bug we fixed; this file keeps it fixed. L9: * ... L16: const path = require("path"); L17: const cp = require("child_process"); L18: L19: const PD = path.join(__dirname, "pixel-diff.js"); L20: const { resolvePath } = require("../harness/serve.js"); ... L98: { L99: const holder = cp.spawn(process.execPath, ["-e", "require('http').createServer(() => {}).listen(18094, () => console.log('up')); setTimeout(() => {}, 30000)"], { stdio: ["ignore", ... L100: try { ... L115: cwd: dir,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

tools/cli-selftest.jsView on unpkg · L7
tools/merge-snapshot.jsView file
24L25: const fs = require("fs"); L26:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tools/merge-snapshot.jsView on unpkg · L24
vendor/pingfusi-review.mjsView file
9import { createHash } from "node:crypto"; L10: import { execFile } from "node:child_process"; L11: import { promisify } from "node:util"; ... L15: const execFileP = promisify(execFile); L16: const APP_URL = process.env.PINGHUMANS_APP_URL ?? process.env.PINGFUSI_APP_URL ?? "https://pingfusi.com"; L17: // Hoisted with the other top-of-module consts — the entry try-block runs
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

vendor/pingfusi-review.mjsView on unpkg · L9

Findings

4 High3 Medium4 Low
HighChild Processtools/cli-selftest.js
HighShell
HighSame File Env Network Executionvendor/pingfusi-review.mjs
HighCross File Remote Execution Contexttools/cli-selftest.js
MediumDynamic Requiretools/merge-snapshot.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings