registry  /  hearyourvoice  /  1.3.0

hearyourvoice@1.3.0

Agent skill + 16 subagents: the complete format- and editor-agnostic workflow for short Thai documentary/explainer videos — research, script, agent punchline debate, ElevenLabs voiceover, footage, timecoded timeline, delivery folder.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `hearyourvoice install` or `install.sh`; separate media scripts require direct execution.
Impact
Adds package-controlled agent instructions to selected local agent directories; no confirmed credential theft, remote payload chain, or broad destructive action.
Mechanism
Explicit agent-extension installation and user-invoked media API tooling.
Rationale
Source inspection found no malicious install hook, credential exfiltration, stealth persistence, or destructive behavior. Because the package explicitly installs AI-agent extensions into user agent directories, retain a non-blocking warning for capability review.
Evidence
package.jsonbin/cli.mjsinstall.shskills/hearyourvoice/scripts/gen-voiceover.mjsskills/hearyourvoice/scripts/veo-generate.pyskills/hearyourvoice/scripts/fetch-cc-images.mjsskills/hearyourvoice/references/examples/chado-NG-shotlist.xlsxskills/hearyourvoice/agents/hyv-*.md~/.claude/skills/hearyourvoice~/.claude/agents/hyv-*.md~/.codex/skills/hearyourvoice~/.hermes/skills/hearyourvoice
Network endpoints3
api.openverse.org/v1/images/commons.wikimedia.org/w/api.phpapi.elevenlabs.io/v1/text-to-speech/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/cli.mjs` explicit `install` copies a skill into `~/.claude`, `~/.codex`, or `~/.hermes`.
  • For Claude targets, `bin/cli.mjs` deletes and replaces package-owned `hyv-*.md` agent files in `.claude/agents`.
  • `install.sh` provides the same explicit agent-extension installation path.
  • `veo-generate.py` dynamically loads a user-supplied provider plugin path.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • Agent/config writes require an explicit CLI or shell `install` invocation.
  • Agent cleanup is scoped to the package-owned `hyv-*.md` filename prefix.
  • Network use is feature-aligned: CC-image APIs and ElevenLabs TTS.
  • `gen-voiceover.mjs` requires `--yes` before sending API-key-authenticated TTS requests.
  • The bundled `.xlsx` is a standard XML workbook with no macro, OLE, or external-link entries.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 96.1 KB of source, external domains: api.elevenlabs.io, api.openverse.org, commons.wikimedia.org, github.com

Source & flagged code

4 flagged · loading source
install.shView file
path = install.sh kind = build_helper sizeBytes = 1876 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
skills/hearyourvoice/references/examples/chado-NG-shotlist.xlsxView file
path = [redacted]-NG-shotlist.xlsx kind = high_entropy_blob sizeBytes = 22447 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/hearyourvoice/references/examples/chado-NG-shotlist.xlsxView on unpkg
path = [redacted]-NG-shotlist.xlsx kind = compressed_blob sizeBytes = 22447 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

skills/hearyourvoice/references/examples/chado-NG-shotlist.xlsxView on unpkg
path = [redacted]-NG-shotlist.xlsx kind = nested_archive_needs_inspection sizeBytes = 22447 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

skills/hearyourvoice/references/examples/chado-NG-shotlist.xlsxView on unpkg

Findings

1 High5 Medium6 Low
HighShips High Entropy Blobskills/hearyourvoice/references/examples/chado-NG-shotlist.xlsx
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumShips Compressed Blobskills/hearyourvoice/references/examples/chado-NG-shotlist.xlsx
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionskills/hearyourvoice/references/examples/chado-NG-shotlist.xlsx