AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only network-capable behavior is a user-invoked Chromium download required for local PDF rendering.
Decision evidence
public snapshot- `src/pdf.js` invokes `npx playwright-core install chromium-headless-shell` only while rendering after a user runs the CLI.
- `scripts/postinstall.js` contains the same browser-download command, but it is only exposed as the explicit `install-chromium` script.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `scripts/preuninstall.js` is referenced but absent from the package, so no uninstall script payload is shipped.
- `src/pipeline.js` reads the user-selected Markdown input and writes its requested PDF output.
- `src/pdf.js` uses Playwright locally for PDF generation and only removes `ffmpeg-*` from its own browser cache.
- No credential harvesting, exfiltration endpoint, dynamic payload loader, AI-agent configuration write, or persistence code was found.
- Font blobs are valid WOFF2 assets used by the PDF template.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
scripts/postinstall.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
scripts/postinstall.jsView on unpkg · L52Package ships high-entropy non-source blobs.
src/assets/fonts/IBMPlexMono-600.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/pdf.jsView on unpkg