registry  /  @andy-toolforge/footage-generation  /  1.1.0

@andy-toolforge/footage-generation@1.1.0

Toolforge domain: generate images, videos, and visuals for podcasts and content

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed first-party agent skill setup at npm postinstall plus user-invoked browser automation. No concrete malware chain or exfiltration was found, but lifecycle mutation of .opencode skills and rate-limit evasion justify a warning.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm postinstall; later explicit MCP/CLI/library image-generation calls
Impact
Adds package-owned agent skill instructions to the installing project and can automate a logged-in browser session for image generation.
Mechanism
postinstall symlink/copy of agent skills; Puppeteer-driven Gemini web automation
Rationale
This is not source-confirmed malware: the risky primitives are visible, package-aligned, and mostly user-invoked. However, postinstall mutation of an AI-agent skill surface and browser automation designed to avoid rate limits are real lifecycle/capability risks, so warn rather than block.
Evidence
package.jsonskills/postinstall.jsskills/batch-image-generator.mdlib/browser-generator.jsmcp-tools.js_private/cli.jslib/llm.js.opencode/skills/footage-generation-*.md/tmp/gemini-batch-*.prompts.md<outputDir>/*.png<project>/images/*.png
Network endpoints4
gemini.google.com/imagesgemini.google.com/librarylocalhost:9222/json/versionlocalhost:9222

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node skills/postinstall.js.
  • skills/postinstall.js creates .opencode/skills and symlinks/copies package markdown skills with footage-generation- prefix.
  • lib/browser-generator.js spawns Chrome with remote debugging and a user-data dir.
  • lib/browser-generator.js automates gemini.google.com/images and includes anti-rate-limit human simulation.
  • mcp-tools.js generate_batch_image writes a temp prompts file and spawns _private/cli.js detached.
Evidence against
  • No install-time network access or remote payload download found.
  • No credential harvesting, env dumping, or exfiltration logic found.
  • Postinstall only links package-owned .md skill files, not arbitrary foreign agent config.
  • Main import lib/index.js only exports classes; no import-time execution beyond require.
  • Network behavior is runtime/user-invoked and aligned with image generation functionality.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 74.0 KB of source, external domains: gemini.google.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L23: prompts-template.md L24: package.json — deps: @andy-toolforge/core, sharp L25: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5
lib/overlay.jsView file
matchType = normalized_sha256 matchedPackage = @andy-toolforge/footage-generation@1.0.1 matchedPath = lib/overlay.js matchedIdentity = npm:[redacted]:1.0.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/overlay.jsView on unpkg
lib/browser-generator.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @andy-toolforge/footage-generation@1.0.0 matchedIdentity = npm:[redacted]:1.0.0 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/browser-generator.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritylib/overlay.js
HighPrevious Version Dangerous Deltalib/browser-generator.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License