registry  /  forgr  /  0.6.2

forgr@0.6.2

Convert Markdown files into polished PDFs

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package downloads a Chromium runtime for its stated Markdown-to-PDF feature only after an explicit conversion or install-chromium action.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `forgr <markdown>` without a cached browser, or explicitly runs `npm run install-chromium`.
Impact
Creates `~/.forgr/browsers` and writes the requested PDF; no unrelated data collection or control-surface mutation was found.
Mechanism
Fixed Playwright Chromium installation and user-requested PDF generation.
Rationale
The scanner signals are explained by the package's documented Playwright-based PDF rendering workflow. Source inspection found no concrete malicious behavior, and the declared preuninstall hook cannot run because its target file is absent.
Evidence
package.jsonscripts/postinstall.jssrc/pdf.jssrc/cli.jssrc/pipeline.jssrc/browsers-path.jssrc/markdown.js~/.forgr/browsers

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/pdf.js` invokes Playwright's Chromium installer when a user runs PDF conversion and no cached browser exists.
  • `scripts/postinstall.js` can install Chromium, but it is only mapped to the user-invoked `install-chromium` npm script.
  • `src/cli.js` deletes `~/.forgr/browsers` only through the explicit `forgr uninstall` command.
Evidence against
  • `package.json` has no npm `install` or `postinstall` lifecycle hook; `preuninstall` references a missing file.
  • The installer command is fixed, uses the pinned local `playwright-core` dependency, and stores its browser cache under `~/.forgr/browsers`.
  • `src/pdf.js` writes only the requested PDF output and removes only Playwright FFmpeg cache entries.
  • No credential harvesting, exfiltration endpoints, eval/vm usage, AI-agent configuration writes, or hidden persistence were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 31.0 KB of source

Source & flagged code

4 flagged · loading source
scripts/postinstall.jsView file
2import { rm } from 'fs/promises'; L3: import { execSync } from 'child_process'; L4: import { homedir } from 'os';
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L2
52try { L53: execSync('npx playwright-core install chromium-headless-shell', { L54: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L52
src/assets/fonts/IBMPlexMono-600.woff2View file
path = src/assets/fonts/IBMPlexMono-600.woff2 kind = high_entropy_blob sizeBytes = 50600 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/IBMPlexMono-600.woff2View on unpkg
src/pdf.jsView file
matchType = previous_version_dangerous_delta matchedPackage = forgr@0.5.2 matchedIdentity = npm:Zm9yZ3I:0.5.2 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/pdf.jsView on unpkg

Findings

1 Critical4 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/pdf.js
HighChild Processscripts/postinstall.js
HighShell
HighRuntime Package Installscripts/postinstall.js
HighShips High Entropy Blobsrc/assets/fonts/IBMPlexMono-600.woff2
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings