registry  /  hyper-animator  /  2.1.1

hyper-animator@2.1.1

Claude Code skill for HyperFrames animation pipeline — natural language to rendered video

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a local AI-agent skill surface at npm install time. The dropped skill is package-aligned, but the lifecycle write into $HOME/.claude/skills is unconsented and outside the package directory.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or running the hyper-animator bin
Impact
Installs agent instructions and executable helper scripts into the user's home-directory AI-agent control surface.
Mechanism
postinstall copies package-supplied Claude skill files and writes an API .env template
Policy narrative
On npm install, package.json runs install.js. That script resolves the user's home directory, recursively copies the bundled skills/hyper-animator directory into $HOME/.claude/skills/hyper-animator, chmods shipped shell scripts executable, and creates or updates a .env file there with MiniMax configuration placeholders. The installed SKILL.md becomes an AI-agent instruction surface for future animation workflows. The content appears aligned with the package purpose, but the install-time mutation of an agent control surface is concrete and unconsented.
Rationale
Source inspection confirms a lifecycle hook that writes package-controlled AI-agent instructions and scripts into $HOME/.claude/skills. That behavior is a concrete AI-agent control-surface mutation even without credential theft or import-time exfiltration. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsoninstall.jsskills/hyper-animator/SKILL.mdskills/hyper-animator/scripts/minimax-gen.pyskills/hyper-animator/scripts/tts-gen.py$HOME/.claude/skills/hyper-animator$HOME/.claude/skills/hyper-animator/.env
Network endpoints3
platform.minimaxi.comapi.minimaxi.comapi.minimax.io

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node install.js and bin maps hyper-animator to install.js.
  • install.js copies skills/hyper-animator into $HOME/.claude/skills/hyper-animator during install.
  • install.js creates or updates $HOME/.claude/skills/hyper-animator/.env with MINIMAX_* placeholders.
  • skills/hyper-animator/SKILL.md installs AI-agent instructions that direct future tool, git, render, and script actions.
Evidence against
  • install.js performs no network calls and does not exfiltrate existing credentials.
  • No obfuscation, eval/vm/Function, native binary loading, or destructive lifecycle commands found.
  • MiniMax curl/urllib network calls are in user-invoked scripts for package-aligned audio/TTS generation.
  • No evidence of dependency confusion, persistence beyond copied skill files, or file harvesting outside the skill .env load path.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.92 KB of source, external domains: platform.minimaxi.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
12Install-time AI-agent control hijack evidence: L12: const home = os.homedir(); L13: const destDir = path.join(home, '.claude', 'skills', 'hyper-animator'); L14: const srcDir = path.join(__dirname, 'skills', 'hyper-animator'); ... L38: function copyDir(src, dest) { L39: if (!fs.existsSync(dest)) fs.mkdirSync(dest, { recursive: true }); L40: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L43: if (entry.isDirectory()) { copyDir(s, d); } L44: else { fs.copyFileSync(s, d); if (entry.name.endsWith('.sh')) fs.chmodSync(d, 0o755); } L45: } ... L57: } L58: if (added > 0) fs.writeFileSync(envPath, content); L59: return { envPath, added }; Payload evidence from skills/hyper-animator/SKILL.md: L26: L27: Display as: `hyper-animator v<version> (commit <commit>)` in the first message to the user. Example: `hyper-animator v1.10.1 (f6b3697)`. This helps with debugging — knowing exactly... L28: ... L149: |---------|---------------| L150: | Beat JSON generated | `data: beat detection — <composition-name>` | L151: | BGM/SFX files generated | `asset: audio generated via <source>` | ... L912: - WAV format, 32kHz mono, compatible with HyperFrames `<audio>` element L913: - Exit…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

install.jsView on unpkg · L12
skills/hyper-animator/scripts/preview-gen.pyView file
path = skills/hyper-animator/scripts/preview-gen.py kind = build_helper sizeBytes = 11136 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/hyper-animator/scripts/preview-gen.pyView on unpkg

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskills/hyper-animator/scripts/preview-gen.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings