registry  /  @andy-toolforge/footage-generation  /  1.0.0

@andy-toolforge/footage-generation@1.0.0

Toolforge domain: generate images, videos, and visuals for podcasts and content

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install runs a lifecycle script that mutates the installing project's .opencode/skills control surface. It drops package-supplied agent instruction files by symlink or copy, creating persistent AI-agent behavior changes outside normal library imports.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/postinstall
Impact
Unconsented project-level AI-agent instruction injection for future opencode/Codex-style agent runs
Mechanism
install-time AI-agent skill file symlink/copy
Policy narrative
On install, the package executes skills/postinstall.js, creates .opencode/skills in the consumer project, and symlinks or copies its markdown skill files there with a footage-generation prefix. Those files are agent instructions that can affect later AI-agent behavior without an explicit runtime API call from the user.
Rationale
The package has no exfiltration or destructive payload, but the postinstall hook performs persistent AI-agent control-surface mutation in the consumer project. Under the firewall policy this is concrete unconsented lifecycle AI-agent control-surface mutation, so it should be blocked. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonskills/postinstall.jsskills/workflow-podcast-processor.mdskills/podcast-cover-generator.mdskills/browser-automation-opportunities.md.opencode/skills/footage-generation-workflow-podcast-processor.md.opencode/skills/footage-generation-podcast-cover-generator.md.opencode/skills/footage-generation-browser-automation-opportunities.md

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills under process.cwd() during install
  • skills/postinstall.js symlinks or copies package .md skill files into that AI-agent control directory
  • skills/*.md contain operational agent instructions, including browser automation workflow guidance
Evidence against
  • No credential harvesting or exfiltration code found
  • No install-time network calls found
  • Runtime child_process spawn in lib/generator.js is user-invoked generation flow, not import/install-time
  • Main entry lib/index.js only exports classes
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 6 file(s), 12.1 KB of source, external domains: www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L23: prompts-template.md L24: package.json — deps: @andy-toolforge/core, sharp L25: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License