AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a video-generation CLI with authenticated API calls and local config/credential storage. It includes first-party Claude skill lifecycle management that can update ~/.claude/skills/agent-media-v2 only by explicit command or opt-in env var, so no unconsented install-time attack is confirmed.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs agent-media commands, agent-media skill update, agent-media update, or sets AGENT_MEDIA_AUTO_UPDATE_SKILL=1
Impact
CLI may contact service endpoints, store credentials/config/cache, and update its own Claude skill files when requested or opted in
Mechanism
package-aligned API client plus opt-in/explicit Claude skill update
Rationale
Source inspection shows no install-time mutation, exfiltration, destructive action, or remote payload execution, but it does include first-party Claude skill update functionality. Per policy this is a warn-level agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/index.jsdist/lib/api.jsdist/lib/credentials.jsdist/lib/config.jsdist/lib/skill-update.jsdist/commands/skill.jsdist/commands/update.js~/.agent-media/credentials.json~/.agent-media/config.json~/.agent-media/cache/*.json~/.agent-media/.skill-update-check~/.claude/skills/agent-media-v2/SKILL.md~/.claude/skills/agent-media-v2/skills/*/SKILL.md~/.claude/skills/agent-media-v2/reference/*.md
Network endpoints5
api.agent-media.aiagent-media.ai/billingppwvarkmpffljlqxkjux.supabase.coraw.githubusercontent.com/gitroomhq/agent-media/mainregistry.npmjs.org/agent-media-cli/latest
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js imports maybeCheckSkillUpdate and runs it on every CLI invocation
- dist/lib/skill-update.js can write ~/.claude/skills/agent-media-v2 when AGENT_MEDIA_AUTO_UPDATE_SKILL=1 or via skill update
- dist/commands/update.js runs npx --yes skills add gitroomhq/agent-media --agent claude-code --yes on explicit update command
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build
- Network use is package-aligned: api.agent-media.ai, agent-media.ai, Supabase, npm registry, GitHub raw
- Supabase anon JWT is labeled public anon key and used for API auth, not a private secret
- Credentials are stored/read under ~/.agent-media and sent only as Authorization to package API endpoints
- No evidence of credential harvesting, destructive behavior, broad AI-agent hijack, or import-time payload execution
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/lib/api.jsView file
47patternName = supabase_service_key
severity = critical
line = 47
matchedText = const DE...44';
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/lib/api.jsView on unpkg · L4747patternName = supabase_service_key
severity = critical
line = 47
matchedText = const DE...44';
Critical
Findings
2 Critical2 Medium5 Low
CriticalCritical Secretdist/lib/api.js
CriticalSecret Patterndist/lib/api.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings