registry  /  hyperframes  /  0.7.44

hyperframes@0.7.44

HyperFrames CLI — create, preview, and render HTML video compositions

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a video composition CLI that can install/update HyperFrames AI-agent skills into multiple local agent skill directories during user-invoked setup. This is a lifecycle risk but not confirmed malware because there is no npm install hook and the behavior is documented/first-party.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `hyperframes init` without HYPERFRAMES_SKIP_SKILLS=1 or runs `hyperframes skills`.
Impact
May modify local AI-agent skill directories and refresh content from GitHub; telemetry may send anonymous usage/system metadata when enabled.
Mechanism
first-party AI-agent skill installation via npx skills
Rationale
Static inspection confirms broad AI-agent skill directory mutation, but only from explicit CLI commands and sourced from the package's first-party GitHub repo. No install-time execution, credential theft, destructive action, or unconsented npm lifecycle mutation was found.
Evidence
package.jsondist/cli.jsdist/studio/index.jsdist/skills/hyperframes/SKILL.mddist/skills/hyperframes-cli/SKILL.md~/.codex/skills~/.claude/skills~/.agents/skillsagent-specific skills directories listed in dist/cli.js
Network endpoints5
github.com/heygen-com/hyperframesraw.githubusercontent.com/heygen-com/hyperframesapi2.heygen.comopenrouter.ai/api/v1/chat/completionsPostHog batch endpoint from POSTHOG_HOST

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js:117283 makes init skip skills only when HYPERFRAMES_SKIP_SKILLS=1; --skip-skills is logged as ignored.
  • dist/cli.js:117398 calls keepSkillsCurrent during non-interactive init, which runs skills update by default.
  • dist/cli.js:83183-83248 shells out to npx skills add/remove for https://github.com/heygen-com/hyperframes.
  • dist/cli.js:83033-83116 enumerates many agent skill directories including codex, claude-code, cursor, gemini-cli, etc.
  • dist/cli.js:78693 and dist/studio/index.js:1661 send usage telemetry to PostHog when enabled.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • The agent skill mutation is tied to explicit hyperframes init/skills commands, not npm install/import time.
  • Skill source is first-party heygen-com/hyperframes and names are regex-sanitized before install/remove.
  • Network endpoints largely align with CLI features: GitHub skill/asset fetch, HeyGen publish/feedback, PostHog telemetry, optional OpenRouter/Gemini vision with env keys.
  • No source evidence of credential harvesting, destructive filesystem behavior, or remote payload execution outside declared CLI features.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 16 file(s), 3.62 MB of source, external domains: aomediacodec.github.io, api.figma.com, api.heygen.com, cdn.example.com, cdn.jsdelivr.net, evilmartians.com, example.com, fonts.googleapis.com, react.dev, studio.local, us.i.posthog.com, www.figma.com, www.w3.org, www.w3ctech.com, www.webmproject.org
Oversized source lightweight scan
dist/cli.js9.10 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellDynamicRequireHighEntropyStringsUrlStringsapi.figma.comapi.heygen.comcdn.example.comexample.comwww.figma.com
dist/studio/assets/index-BtAysyap.js3.09 MB file, sampled 256 KB
NetworkChildProcessObfuscatedHighEntropyStringsMinifiedTelemetryUrlStringsreact.devwww.w3.org

Source & flagged code

3 flagged · loading source
dist/studio/index.jsView file
192fill: "none", L193: xmlns: "http://www.w3.org/2000/svg", L194: "aria-hidden": "true", ... L1271: if (!raw) return {}; L1272: const parsed = JSON.parse(raw); L1273: if (!isRecord2(parsed)) return {}; ... L1526: try { L1527: return import.meta.env.DEV === true; L1528: } catch { ... L1663: headers: { "Content-Type": "application/json" }, L1664: body: JSON.stringify({ api_key: POSTHOG_API_KEY, batch }), L1665: signal: controller.signal
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/studio/index.jsView on unpkg · L192
dist/studio/assets/index-BtAysyap.jsView file
path = dist/studio/assets/index-BtAysyap.js kind = oversized_source_file sizeBytes = 3244610 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/studio/assets/index-BtAysyap.jsView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 9547002 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

2 High5 Medium7 Low
HighSandbox Evasion Gated Capabilitydist/studio/index.js
HighOversized Source Filedist/studio/assets/index-BtAysyap.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License