AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package installs a Chromium renderer for its stated Markdown-to-PDF function only after an explicit script or conversion path requires it.
Decision evidence
public snapshot- `package.json` has no npm preinstall/install/postinstall hook; `install-chromium` is an explicit script.
- `bin/forgr` only imports `src/cli.js`, which requires an explicit convert or uninstall command.
- `src/pdf.js` downloads Playwright Chromium only during user-invoked PDF generation when absent.
- Browser files are confined to `~/.forgr/browsers`; removal targets only ffmpeg entries there.
- No source reads credentials, scans sensitive files, contacts a package-controlled endpoint, or mutates AI-agent settings.
- `preuninstall` references a missing script and is not included in the published file list, so it cannot perform the hinted uninstall action.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
scripts/postinstall.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
scripts/postinstall.jsView on unpkg · L52Package ships high-entropy non-source blobs.
src/assets/fonts/IBMPlexMono-600.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/pdf.jsView on unpkg