registry  /  hyper-animator  /  2.2.1

hyper-animator@2.2.1

Claude Code skill for HyperFrames animation pipeline — natural language to rendered video

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates an AI-agent skill directory during npm postinstall and runs a bundled Python helper. This is an unconsented lifecycle write to an agent control surface outside node_modules.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install hyper-animator@2.2.1 or running the hyper-animator bin without setup args
Impact
Installs package-supplied agent instructions/tools into ~/.claude/skills and performs install-time code execution with cache writes and external CLI/network activity.
Mechanism
postinstall drops Claude skill files and executes bundled Python helper
Policy narrative
On installation, package.json invokes install.js. The script copies the bundled hyper-animator skill into ~/.claude/skills, creates or updates its .env, then runs sync-catalog.py from that installed skill path. The helper writes a source-cache under the agent skill directory and invokes the hyperframes CLI to fetch catalog HTML.
Rationale
Static source inspection confirms install-time mutation of ~/.claude/skills plus execution of bundled helper code, which matches unconsented AI-agent control-surface mutation. Package-aligned animation and API behavior reduces exfiltration concern but does not make lifecycle control-surface writes acceptable. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsoninstall.jsskills/hyper-animator/SKILL.mdskills/hyper-animator/scripts/sync-catalog.pyskills/hyper-animator/scripts/minimax-gen.pyskills/hyper-animator/scripts/tts-gen.py~/.claude/skills/hyper-animator~/.claude/skills/hyper-animator/.env~/.claude/skills/hyper-animator/references/source-cache~/.claude/skills/hyper-animator/references/source-cache/manifest.json
Network endpoints6
platform.minimaxi.comapi.minimaxi.comapi.minimax.iogithub.com/realpkuasule/hyper-animator-2raw.githubusercontent.com/heygen-com/hyperframes/main/registrycdn.jsdelivr.net/npm/gsap@3.14.2/dist/gsap.min.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node install.js and bin hyper-animator -> install.js
  • install.js copies skills/hyper-animator to ~/.claude/skills/hyper-animator on default postinstall path
  • install.js creates/updates ~/.claude/skills/hyper-animator/.env with MiniMax config placeholders
  • install.js executes child_process.execSync('python3 .../scripts/sync-catalog.py --workers 4') from the dropped skill directory
  • sync-catalog.py writes ~/.claude/skills/hyper-animator/references/source-cache and shells out to hyperframes add
Evidence against
  • No credential harvesting found; scripts read MINIMAX_API_KEY only for user-invoked MiniMax API calls
  • Network/API behavior is aligned with animation, TTS, music generation, and HyperFrames catalog sync
  • No obfuscation, destructive commands, native binaries, dependency confusion, or reviewer prompt injection found
  • No npm dependencies declared
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.46 KB of source, external domains: platform.minimaxi.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
12Install-time AI-agent control hijack evidence: L12: const home = os.homedir(); L13: const destDir = path.join(home, '.claude', 'skills', 'hyper-animator'); L14: const srcDir = path.join(__dirname, 'skills', 'hyper-animator'); ... L38: function copyDir(src, dest) { L39: if (!fs.existsSync(dest)) fs.mkdirSync(dest, { recursive: true }); L40: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L43: if (entry.isDirectory()) { copyDir(s, d); } L44: else { fs.copyFileSync(s, d); if (entry.name.endsWith('.sh')) fs.chmodSync(d, 0o755); } L45: } ... L57: } L58: if (added > 0) fs.writeFileSync(envPath, content); L59: return { envPath, added }; Payload evidence from skills/hyper-animator/SKILL.md: L26: L27: Display as: `hyper-animator v<version> (commit <commit>)` in the first message to the user. Example: `hyper-animator v1.10.1 (f6b3697)`. This helps with debugging — knowing exactly... L28: ... L149: |---------|---------------| L150: | Beat JSON generated | `data: beat detection — <composition-name>` | L151: | BGM/SFX files generated | `asset: audio generated via <source>` | ... L912: - WAV format, 32kHz mono, compatible with HyperFrames `<audio>` element L913: - Exit…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

install.jsView on unpkg · L12
skills/hyper-animator/scripts/preview-gen.pyView file
path = skills/hyper-animator/scripts/preview-gen.py kind = build_helper sizeBytes = 11136 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/hyper-animator/scripts/preview-gen.pyView on unpkg

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskills/hyper-animator/scripts/preview-gen.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings