AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package performs a user-triggered Chromium bootstrap for its declared PDF-rendering feature and stores it under `~/.forgr/browsers`.
Decision evidence
public snapshot- `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
- `scripts/postinstall.js` is only the explicit `install-chromium` script and downloads Playwright Chromium into `~/.forgr/browsers`.
- `src/pdf.js` invokes the same Chromium bootstrap only after the user runs PDF conversion and no browser cache exists.
- File removal is limited to Playwright FFmpeg/browser cache paths; PDF output is written to the user-selected output path.
- No source accesses credentials, shell profiles, agent configuration, or exfiltration endpoints.
- The high-entropy blobs are `.woff2` fonts embedded by `src/template.js` for PDF styling.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
scripts/postinstall.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
scripts/postinstall.jsView on unpkg · L52Package ships high-entropy non-source blobs.
src/assets/fonts/IBMPlexMono-600.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/pdf.jsView on unpkg