AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package downloads a Chromium runtime for its stated Markdown-to-PDF feature only after an explicit conversion or install-chromium action.
Decision evidence
public snapshot- `src/pdf.js` invokes Playwright's Chromium installer when a user runs PDF conversion and no cached browser exists.
- `scripts/postinstall.js` can install Chromium, but it is only mapped to the user-invoked `install-chromium` npm script.
- `src/cli.js` deletes `~/.forgr/browsers` only through the explicit `forgr uninstall` command.
- `package.json` has no npm `install` or `postinstall` lifecycle hook; `preuninstall` references a missing file.
- The installer command is fixed, uses the pinned local `playwright-core` dependency, and stores its browser cache under `~/.forgr/browsers`.
- `src/pdf.js` writes only the requested PDF output and removes only Playwright FFmpeg cache entries.
- No credential harvesting, exfiltration endpoints, eval/vm usage, AI-agent configuration writes, or hidden persistence were found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
scripts/postinstall.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
scripts/postinstall.jsView on unpkg · L52Package ships high-entropy non-source blobs.
src/assets/fonts/IBMPlexMono-600.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/pdf.jsView on unpkg