registry  /  pingfusi  /  0.3.1

pingfusi@0.3.1

pingfusi: clone websites pixel-perfect and polish any AI-built draft, verified with review rounds. Enforced, gated workflow — a green check is a command that exits 0, never a screenshot.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pingfusi setup`, `pingfusi agent-setup`, or the review installer setup command.
Impact
The package can alter user AI-client configuration and direct those clients to its review service; this is user-invoked rather than lifecycle-driven.
Mechanism
Explicit AI-client MCP, rules, and skill configuration plus package-aligned OAuth/telemetry.
Rationale
Source does not support a malicious verdict: the flagged capabilities are documented, package-aligned, and activated by explicit commands. Warn because explicit agent configuration and MCP setup are security-relevant control-surface changes.
Evidence
package.jsonbin/pingfusiharness/setup.jsharness/agent-setup.jsvendor/pingfusi-review.mjsharness/tunnel.jstools/cli-selftest.js~/.claude/skills/<package-skill>/SKILL.md~/.claude.json~/.cursor/mcp.json~/.cursor/rules/pingfusi.mdc~/.codex/config.toml~/.config/pingfusi/credentials.json
Network endpoints5
pingfusi.compingfusi.com/api/cli/telemetrypingfusi.com/api/oauth/device/codepingfusi.com/api/oauth/device/tokenpingfusi.com/api/cli/whoami

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `harness/setup.js` explicitly invokes an installer that patches supported AI-client configs.
  • `harness/agent-setup.js` copies package skills into `~/.claude/skills/` on `pingfusi agent-setup` or setup.
  • `vendor/pingfusi-review.mjs` writes MCP/rule files for Claude Code, Cursor, and Codex after device login.
  • `vendor/pingfusi-review.mjs` sends optional telemetry and performs OAuth/API requests to `https://pingfusi.com`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle hook.
  • Agent configuration writes are reached through explicit `pingfusi setup` or `pingfusi agent-setup` commands with interactive consent checks.
  • The CLI routes normal commands to documented workflow tools; no import-time installer execution was found.
  • No credential harvesting, remote code download/eval, hidden persistence, or destructive behavior was found in inspected sources.
  • `tools/cli-selftest.js` child-process and curl usage is confined to an opt-in local self-test.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 459 KB of source, external domains: 127.0.0.1, cdn.example.com, developers.cloudflare.com, docs.claude.com, engines-pad-firewire-investing.trycloudflare.com, example.com, nodejs.org, old-tunnel.example.com, pingfusi.com, www.w3.org, x.trycloudflare.com

Source & flagged code

5 flagged · loading source
tools/cli-selftest.jsView file
16const path = require("path"); L17: const cp = require("child_process"); L18:
High
Child Process

Package source references child process execution.

tools/cli-selftest.jsView on unpkg · L16
7Cross-file remote execution chain: tools/cli-selftest.js spawns harness/serve.js; helper contains network access plus dynamic code execution. L7: * loudly with a self-describing, actionable message (never a raw stack), and use stable L8: * exit codes. Each assertion here is a bug we fixed; this file keeps it fixed. L9: * ... L16: const path = require("path"); L17: const cp = require("child_process"); L18: L19: const PD = path.join(__dirname, "pixel-diff.js"); L20: const { resolvePath } = require("../harness/serve.js"); ... L81: { L82: const buf = Buffer.from("hello"); L83: const goodSha = require("crypto").createHash("sha256").update(buf).digest("hex"); ... L109: {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

tools/cli-selftest.jsView on unpkg · L7
tools/merge-snapshot.jsView file
24L25: const fs = require("fs"); L26:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tools/merge-snapshot.jsView on unpkg · L24
vendor/pingfusi-review.mjsView file
9import { createHash } from "node:crypto"; L10: import { execFile } from "node:child_process"; L11: import { promisify } from "node:util"; ... L15: const execFileP = promisify(execFile); L16: const APP_URL = process.env.PINGHUMANS_APP_URL ?? process.env.PINGFUSI_APP_URL ?? "https://pingfusi.com"; L17: // Hoisted with the other top-of-module consts — the entry try-block runs
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

vendor/pingfusi-review.mjsView on unpkg · L9
harness/tunnel.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pingfusi@0.2.2 matchedIdentity = npm:cGluZ2Z1c2k:0.2.2 similarity = 0.763 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

harness/tunnel.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltaharness/tunnel.js
HighChild Processtools/cli-selftest.js
HighShell
HighSame File Env Network Executionvendor/pingfusi-review.mjs
HighCross File Remote Execution Contexttools/cli-selftest.js
MediumDynamic Requiretools/merge-snapshot.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings