AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. On an explicit PDF-render command, the package may download a Chromium runtime to its own cache and render user-provided Markdown into a PDF.
Decision evidence
public snapshot- src/pdf.js runs `npx playwright-core install chromium-headless-shell` only when Chromium is absent during PDF rendering.
- scripts/postinstall.js contains the same Chromium-download helper but is not an npm lifecycle hook.
- package.json has no preinstall/install/postinstall lifecycle hook; `install-chromium` is an explicit user script.
- package.json references scripts/preuninstall.js, but that file is absent and excluded from published files.
- src/pdf.js stores only Playwright browser assets under ~/.forgr/browsers and deletes bundled FFmpeg there.
- src/pipeline.js reads the user-selected Markdown file and writes the requested PDF output.
- No package-owned HTTP client, credential harvesting, agent-control writes, payload loading, or persistence mechanism was found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
scripts/postinstall.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
scripts/postinstall.jsView on unpkg · L52Package ships high-entropy non-source blobs.
src/assets/fonts/IBMPlexMono-600.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/pdf.jsView on unpkg