registry  /  @andy-toolforge/footage-generation  /  1.0.1

@andy-toolforge/footage-generation@1.0.1

Toolforge domain: generate images, videos, and visuals for podcasts and content

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates a project-level Opencode skills directory by planting package-supplied agent instructions. This is an unconsented lifecycle write into a broad AI-agent control surface.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / postinstall
Impact
Package instructions become available to Opencode agents in the consuming project without explicit user action.
Mechanism
lifecycle symlink/copy of AI-agent skill files
Policy narrative
On installation, the postinstall script creates .opencode/skills in the consumer project and symlinks or copies all packaged markdown skills there. Those files become agent-facing instructions, including browser automation guidance for Gemini, without an explicit user-invoked setup step.
Rationale
Although the package functionality is mostly aligned with image/podcast generation, the lifecycle hook unconditionally plants agent skill files into .opencode/skills, a broad AI-agent control surface. Under the install control-surface policy, that unconsented lifecycle mutation is blockable AI-agent control hijack.
Evidence
package.jsonskills/postinstall.jsskills/browser-automation-opportunities.mdlib/llm.jsmcp-tools.js.opencode/skills/footage-generation-workflow-podcast-processor.md.opencode/skills/footage-generation-podcast-cover-generator.md.opencode/skills/footage-generation-browser-automation-opportunities.md
Network endpoints2
gemini.google.com/imagesgemini.google.com

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills under process.cwd during install
  • postinstall symlinks or copies package .md skills into that AI-agent control surface without opt-in
  • skills/browser-automation-opportunities.md promotes automating gemini.google.com as an unlimited API
Evidence against
  • No credential harvesting or exfiltration found in JS sources
  • No install-time network calls found
  • Runtime LLM/image methods are user-invoked and package-aligned
  • MCP tools only expose prompt-generation handlers
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 7 file(s), 26.6 KB of source, external domains: www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L23: prompts-template.md L24: package.json — deps: @andy-toolforge/core, sharp L25: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License