registry  /  forgr  /  0.7.3

forgr@0.7.3

Convert Markdown files into polished PDFs

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs a user-triggered Chromium bootstrap for its declared PDF-rendering feature and stores it under `~/.forgr/browsers`.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `forgr` conversion without a cached Chromium binary, or explicitly runs `npm run install-chromium`.
Impact
Creates/removes only the package-owned browser cache and writes the requested PDF; no credential or agent-control mutation is present.
Mechanism
Downloads Playwright Chromium and renders user-supplied Markdown to a chosen PDF output path.
Rationale
Static scanner signals map to an explicit Chromium installer and PDF renderer, not an automatic install hook or malicious chain. Source inspection found no credential harvesting, exfiltration, remote payload execution, persistence outside package-owned browser storage, or AI-agent control-surface writes.
Evidence
package.jsonscripts/postinstall.jssrc/browsers-path.jssrc/cli.jssrc/pdf.jssrc/template.jssrc/markdown.js~/.forgr/browsers<user-selected output>.pdf

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
    • `scripts/postinstall.js` is only the explicit `install-chromium` script and downloads Playwright Chromium into `~/.forgr/browsers`.
    • `src/pdf.js` invokes the same Chromium bootstrap only after the user runs PDF conversion and no browser cache exists.
    • File removal is limited to Playwright FFmpeg/browser cache paths; PDF output is written to the user-selected output path.
    • No source accesses credentials, shell profiles, agent configuration, or exfiltration endpoints.
    • The high-entropy blobs are `.woff2` fonts embedded by `src/template.js` for PDF styling.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 10 file(s), 38.2 KB of source

    Source & flagged code

    4 flagged · loading source
    scripts/postinstall.jsView file
    2import { rm } from 'fs/promises'; L3: import { execSync } from 'child_process'; L4: import { homedir } from 'os';
    High
    Child Process

    Package source references child process execution.

    scripts/postinstall.jsView on unpkg · L2
    52try { L53: execSync('npx playwright-core install chromium-headless-shell', { L54: stdio: 'inherit',
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    scripts/postinstall.jsView on unpkg · L52
    src/assets/fonts/IBMPlexMono-600.woff2View file
    path = src/assets/fonts/IBMPlexMono-600.woff2 kind = high_entropy_blob sizeBytes = 50600 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    src/assets/fonts/IBMPlexMono-600.woff2View on unpkg
    src/pdf.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = forgr@0.7.2 matchedIdentity = npm:Zm9yZ3I:0.7.2 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/pdf.jsView on unpkg

    Findings

    1 Critical4 High2 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/pdf.js
    HighChild Processscripts/postinstall.js
    HighShell
    HighRuntime Package Installscripts/postinstall.js
    HighShips High Entropy Blobsrc/assets/fonts/IBMPlexMono-600.woff2
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings