registry  /  forgr  /  0.7.0

forgr@0.7.0

Convert Markdown files into polished PDFs

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only network-capable behavior is a user-invoked Chromium download required for local PDF rendering.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `forgr` conversion or explicitly runs `npm run install-chromium`.
Impact
Creates a local browser cache and the requested PDF; no source-backed credential, data-exfiltration, persistence, or agent-control action was found.
Mechanism
Downloads Playwright Chromium into the package-owned browser cache, then renders a user-selected Markdown file to PDF.
Rationale
The scanner findings map to a document-to-PDF CLI that downloads Chromium on explicit user action, not to install-time malware. The manifest does not wire the flagged helper as an npm install hook, and source inspection found no concrete malicious chain.
Evidence
package.jsonscripts/postinstall.jssrc/pdf.jssrc/pipeline.jssrc/cli.jssrc/markdown.jsbin/forgrsrc/browsers-path.js

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/pdf.js` invokes `npx playwright-core install chromium-headless-shell` only while rendering after a user runs the CLI.
  • `scripts/postinstall.js` contains the same browser-download command, but it is only exposed as the explicit `install-chromium` script.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `scripts/preuninstall.js` is referenced but absent from the package, so no uninstall script payload is shipped.
  • `src/pipeline.js` reads the user-selected Markdown input and writes its requested PDF output.
  • `src/pdf.js` uses Playwright locally for PDF generation and only removes `ffmpeg-*` from its own browser cache.
  • No credential harvesting, exfiltration endpoint, dynamic payload loader, AI-agent configuration write, or persistence code was found.
  • Font blobs are valid WOFF2 assets used by the PDF template.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 38.1 KB of source

Source & flagged code

4 flagged · loading source
scripts/postinstall.jsView file
2import { rm } from 'fs/promises'; L3: import { execSync } from 'child_process'; L4: import { homedir } from 'os';
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L2
52try { L53: execSync('npx playwright-core install chromium-headless-shell', { L54: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L52
src/assets/fonts/IBMPlexMono-600.woff2View file
path = src/assets/fonts/IBMPlexMono-600.woff2 kind = high_entropy_blob sizeBytes = 50600 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/IBMPlexMono-600.woff2View on unpkg
src/pdf.jsView file
matchType = previous_version_dangerous_delta matchedPackage = forgr@0.6.2 matchedIdentity = npm:Zm9yZ3I:0.6.2 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/pdf.jsView on unpkg

Findings

1 Critical4 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/pdf.js
HighChild Processscripts/postinstall.js
HighShell
HighRuntime Package Installscripts/postinstall.js
HighShips High Entropy Blobsrc/assets/fonts/IBMPlexMono-600.woff2
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings