registry  /  @mevdragon/vidfarm-devcli  /  0.20.10

@mevdragon/vidfarm-devcli@0.20.10

Local bridge for the Vidfarm Trackpad Editor. `vidfarm serve <template_id>` boots the FULL editor on localhost (disk-backed records/storage, free in-process render); edit composition.html on disk (Claude Code, Codex, etc.) and the browser live-morphs it.

Static Scan Results

scanned 13h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 778 KB of source, external domains: api.openai.com, elevenlabs.io, fonts.googleapis.com, generativelanguage.googleapis.com, integrate.api.nvidia.com, openrouter.ai, vidfarm.cc, vidfarm.local

Source & flagged code

4 flagged · loading source
dist/src/cli.jsView file
1940package = @mevdragon/vidfarm-devcli; repositoryIdentity = vidfarm; dependency = ffmpeg-static L1940: try { L1941: const mod = (await import("ffmpeg-static")); L1942: const resolved = typeof mod === "string" ? mod : mod.default;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/src/cli.jsView on unpkg · L1940
matchType = previous_version_dangerous_delta matchedPackage = @mevdragon/vidfarm-devcli@0.20.9 matchedIdentity = npm:[redacted]:0.20.9 similarity = 0.976 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli.jsView on unpkg
.agents/skills/embedded-captions/scripts/render-and-composite.shView file
path = .agents/skills/embedded-captions/scripts/render-and-composite.sh kind = payload_in_excluded_dir sizeBytes = 27620 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/embedded-captions/scripts/render-and-composite.shView on unpkg
path = .agents/skills/embedded-captions/scripts/render-and-composite.sh kind = build_helper sizeBytes = 27620 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/embedded-captions/scripts/render-and-composite.shView on unpkg

Findings

3 High4 Medium5 Low
HighCopied Package Dependency Bridgedist/src/cli.js
HighPayload In Excluded Dir.agents/skills/embedded-captions/scripts/render-and-composite.sh
HighPrevious Version Dangerous Deltadist/src/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/embedded-captions/scripts/render-and-composite.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings