registry  /  hyper-animator  /  2.15.1

hyper-animator@2.15.1

Claude Code skill for HyperFrames animation pipeline — natural language to rendered video

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. An npm postinstall mutates the broad Claude Code skill control surface without user action. It installs package-authored skill instructions and scripts, then executes a copied sync helper.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
`npm install` / dependency installation
Impact
Unconsented persistent AI-agent instruction and tool-surface modification; install-time external catalog retrieval.
Mechanism
postinstall drops and activates a Claude skill under the user home directory
Policy narrative
Installing the package automatically copies a package-supplied Claude Code skill, instructions, and executable helpers into `~/.claude/skills/hyper-animator`, creates a configuration file, and rewrites the installed skill metadata. The same postinstall then runs the copied catalog-sync helper, which invokes `hyperframes` to fetch catalog content. This is an unconsented postinstall mutation of a broad AI-agent control surface.
Rationale
The package performs concrete install-time writes to the user's Claude skill directory and executes follow-on tooling. That meets the firewall block boundary for unconsented postinstall mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsoninstall.jsskills/hyper-animator/SKILL.mdskills/hyper-animator/scripts/sync-catalog.pyskills/hyper-animator/~/.claude/skills/hyper-animator/~/.claude/skills/hyper-animator/.env~/.claude/skills/hyper-animator/SKILL.md~/.claude/skills/hyper-animator/scripts/sync-catalog.py

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node install.js` as `postinstall`.
  • `install.js` unconditionally copies package content into `~/.claude/skills/hyper-animator`.
  • `install.js` writes `~/.claude/skills/hyper-animator/.env` during install.
  • `install.js` rewrites installed `SKILL.md` frontmatter.
  • Postinstall executes copied `sync-catalog.py`, which invokes the external `hyperframes` CLI.
Evidence against
  • No credential exfiltration found in the inspected installer.
  • MiniMax API calls are in explicit generation helpers, not the installer.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.3 KB of source, external domains: platform.minimaxi.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
12Install-time AI-agent control hijack evidence: L12: const home = os.homedir(); L13: const destDir = path.join(home, '.claude', 'skills', 'hyper-animator'); L14: const srcDir = path.join(__dirname, 'skills', 'hyper-animator'); ... L38: function copyDir(src, dest) { L39: if (!fs.existsSync(dest)) fs.mkdirSync(dest, { recursive: true }); L40: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L43: if (entry.isDirectory()) { copyDir(s, d); } L44: else { fs.copyFileSync(s, d); if (entry.name.endsWith('.sh')) fs.chmodSync(d, 0o755); } L45: } ... L57: } L58: if (added > 0) fs.writeFileSync(envPath, content); L59: return { envPath, added }; Payload evidence from skills/hyper-animator/SKILL.md: L26: L27: Display as: `hyper-animator v<version> (commit <commit>)` in the first message to the user. Example: `hyper-animator v1.10.1 (f6b3697)`. This helps with debugging — knowing exactly... L28: ... L149: |---------|---------------| L150: | Beat JSON generated | `data: beat detection — <composition-name>` | L151: | BGM/SFX files generated | `asset: audio generated via <source>` | ... L992: - WAV format, 32kHz mono, compatible with HyperFrames `<audio>` element L993: - Exit…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

install.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = hyper-animator@2.15.0 matchedPath = install.js matchedIdentity = npm:aHlwZXItYW5pbWF0b3I:2.15.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

install.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 78b72a0f5cb542da signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = hyper-animator@2.15.0 matchedPath = install.js matchedIdentity = npm:aHlwZXItYW5pbWF0b3I:2.15.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

install.jsView on unpkg
skills/hyper-animator/scripts/lint-html.pyView file
path = skills/hyper-animator/scripts/lint-html.py kind = build_helper sizeBytes = 16134 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/hyper-animator/scripts/lint-html.pyView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalAi Agent Control Hijackinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityinstall.js
HighKnown Malware Source Fingerprint Signatureinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskills/hyper-animator/scripts/lint-html.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings