registry  /  @andy-toolforge/footage-generation  /  1.2.0

@andy-toolforge/footage-generation@1.2.0

Toolforge domain: generate images, videos, and visuals for podcasts and content

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The main risk is install-time setup of package-owned OpenCode skill files. Runtime browser automation is explicit image-generation functionality and does not show exfiltration or payload execution.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; explicit MCP/CLI/library calls start browser generation
Impact
Warn-level agent extension lifecycle risk; no confirmed malicious attack chain
Mechanism
postinstall agent skill setup plus user-invoked Puppeteer browser automation
Rationale
Source inspection confirms a postinstall mutation of an AI-agent skill surface, but it is package-scoped and aligned with documented functionality, with no exfiltration, remote code execution, or destructive behavior. Per policy this warrants warning rather than publish blocking.
Evidence
package.jsonskills/postinstall.jslib/browser-generator.jslib/llm.jsmcp-tools.js_private/cli.jslib/writer.js.opencode/skills/footage-generation-*.mdoutputDir/*.pngoutputDir/debug/*.pngfolderPath/prompts.mdfolderPath/mapping-phan-canh.mdfolderPath/prompts-covers.md/tmp/gemini-batch-*.prompts.md
Network endpoints4
gemini.google.com/imagesgemini.google.com/librarygoogleusercontent.comlocalhost:<debugPort>/json/version

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills and symlinks/copies package markdown as footage-generation-*.md
  • lib/browser-generator.js launches Chrome with remote debugging and automates Gemini Images
  • lib/browser-generator.js includes human-like typing/delays and rate-limit handling
  • mcp-tools.js can spawn _private/cli.js in background for batch image generation
Evidence against
  • No credential/env harvesting found in inspected source
  • No remote payload download, eval/vm/Function, native binary loading, or destructive file operations found
  • Network use is package-aligned: Gemini image generation, googleusercontent image fetches, localhost Chrome debug probe
  • Postinstall writes only package-prefixed skill files, not broad foreign agent configuration
  • Runtime file writes are user/output artifacts: prompts, PNGs, debug screenshots
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 78.1 KB of source, external domains: gemini.google.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L23: prompts-template.md L24: package.json — deps: @andy-toolforge/core, sharp L25: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5
lib/overlay.jsView file
matchType = normalized_sha256 matchedPackage = @andy-toolforge/footage-generation@1.0.1 matchedPath = lib/overlay.js matchedIdentity = npm:[redacted]:1.0.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/overlay.jsView on unpkg
lib/browser-generator.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @andy-toolforge/footage-generation@1.1.0 matchedIdentity = npm:[redacted]:1.1.0 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/browser-generator.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritylib/overlay.js
HighPrevious Version Dangerous Deltalib/browser-generator.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License