registry  /  agent-media-cli  /  1.18.3

agent-media-cli@1.18.3

CLI tool for AI-powered UGC video generation.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a video-generation CLI with authenticated API calls and local config/credential storage. It includes first-party Claude skill lifecycle management that can update ~/.claude/skills/agent-media-v2 only by explicit command or opt-in env var, so no unconsented install-time attack is confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs agent-media commands, agent-media skill update, agent-media update, or sets AGENT_MEDIA_AUTO_UPDATE_SKILL=1
Impact
CLI may contact service endpoints, store credentials/config/cache, and update its own Claude skill files when requested or opted in
Mechanism
package-aligned API client plus opt-in/explicit Claude skill update
Rationale
Source inspection shows no install-time mutation, exfiltration, destructive action, or remote payload execution, but it does include first-party Claude skill update functionality. Per policy this is a warn-level agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/index.jsdist/lib/api.jsdist/lib/credentials.jsdist/lib/config.jsdist/lib/skill-update.jsdist/commands/skill.jsdist/commands/update.js~/.agent-media/credentials.json~/.agent-media/config.json~/.agent-media/cache/*.json~/.agent-media/.skill-update-check~/.claude/skills/agent-media-v2/SKILL.md~/.claude/skills/agent-media-v2/skills/*/SKILL.md~/.claude/skills/agent-media-v2/reference/*.md
Network endpoints5
api.agent-media.aiagent-media.ai/billingppwvarkmpffljlqxkjux.supabase.coraw.githubusercontent.com/gitroomhq/agent-media/mainregistry.npmjs.org/agent-media-cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js imports maybeCheckSkillUpdate and runs it on every CLI invocation
  • dist/lib/skill-update.js can write ~/.claude/skills/agent-media-v2 when AGENT_MEDIA_AUTO_UPDATE_SKILL=1 or via skill update
  • dist/commands/update.js runs npx --yes skills add gitroomhq/agent-media --agent claude-code --yes on explicit update command
Evidence against
  • package.json has no install/preinstall/postinstall hooks; only prepublishOnly build
  • Network use is package-aligned: api.agent-media.ai, agent-media.ai, Supabase, npm registry, GitHub raw
  • Supabase anon JWT is labeled public anon key and used for API auth, not a private secret
  • Credentials are stored/read under ~/.agent-media and sent only as Authorization to package API endpoints
  • No evidence of credential harvesting, destructive behavior, broad AI-agent hijack, or import-time payload execution
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 485 KB of source, external domains: agent-media.ai, api.agent-media.ai, cdn.example.com, example.com, nodejs.org, notion.so, ppwvarkmpffljlqxkjux.supabase.co, raw.githubusercontent.com, registry.npmjs.org, www.npmjs.com

Source & flagged code

2 flagged · loading source
dist/lib/api.jsView file
47patternName = supabase_service_key severity = critical line = 47 matchedText = const DE...44';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/lib/api.jsView on unpkg · L47
47patternName = supabase_service_key severity = critical line = 47 matchedText = const DE...44';
Critical
Secret Pattern

Supabase service role key (JWT) in dist/lib/api.js

dist/lib/api.jsView on unpkg · L47

Findings

2 Critical2 Medium5 Low
CriticalCritical Secretdist/lib/api.js
CriticalSecret Patterndist/lib/api.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings