AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs prompt2video build or prompt2video install.
Impact
Claude may read/write in the generated project, run shell commands, and use WebFetch while producing video artifacts; install can add the package skill to a user-selected agent skills folder.
Mechanism
user-invoked Claude Code skill setup and agent launch
Policy narrative
The package is an explicit Claude Code automation wrapper for generating Remotion videos. Its risky behavior is activated by CLI commands, not install/import: it scaffolds a temp project, installs skills, copies its own prompt2video skill, and launches Claude with broad tools plus a stream viewer. This is documented and package-aligned, but broad agent permissions and runtime @latest npx execution warrant a warning.
Rationale
Source inspection shows documented, user-invoked AI agent orchestration with broad Claude tools but no lifecycle hook, stealth persistence, credential harvesting, or concrete exfiltration. Because the package writes agent skill files and launches an agent with shell/web/write capabilities, warn rather than mark clean.
Evidence
package.jsondist/cli.jsdist/commands/build.jsdist/commands/install.jsskills/prompt2video/SKILL.mdREADME.md/tmp/prompt2video_<timestamp>/tmp/prompt2video_<timestamp>/.claude/skills/prompt2video/tmp/prompt2video_<timestamp>/out/video.claude_events.jsonl<outputDir>/prompt2video_<timestamp>_video.mp4<outputDir>/prompt2video_<timestamp>_slides.pdf<outputDir>/prompt2video_<timestamp>_video.claude_events.jsonl<agentsFolder>/skills/prompt2video
Network endpoints8
github.com/jeromeetienne/prompt2video.gitgithub.com/jeromeetienne/prompt2video#readmegithub.com/jeromeetienne/prompt2video/issuesclaude.com/claude-codewww.remotion.dev/www.npmjs.com/package/claude_stream_viewerffmpeg.org/imagemagick.org/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/commands/build.js user-invoked build spawns claude with Bash,Read,Write,WebFetch and --permission-mode auto.
- dist/commands/build.js runs npx create-video@latest, npx skills add remotion-dev/skills, and npx --yes claude_stream_viewer@latest at runtime.
- dist/commands/build.js copies bundled skill into generated project .claude/skills/prompt2video.
- dist/commands/install.js can copy bundled skills into a caller-supplied agentsFolder/skills path.
Evidence against
- package.json has no npm lifecycle hooks; main/bin only expose CLI.
- README.md documents the Claude/Remotion orchestration, runtime npx tools, and skill install behavior.
- Agent skill content is package-aligned video generation instructions, not credential harvesting or reviewer manipulation.
- No process.env secret reads, exfiltration code, persistence hooks, destructive commands, or import-time execution found.
Behavioral surface
ChildProcessFilesystemShell
Source & flagged code
2 flagged · loading sourcedist/commands/build.jsView file
1import ChildProcess from 'node:child_process';
L2: import Fs from 'node:fs';
High
Child Process
Package source references child process execution.
dist/commands/build.jsView on unpkg · L11import ChildProcess from 'node:child_process';
L2: import Fs from 'node:fs';
...
L14: console.error('Error: no user prompt provided on stdin.');
L15: console.error('Usage: echo "my prompt" | npx tsx prompt2video.ts build');
L16: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/build.jsView on unpkg · L1Findings
3 High2 Low
HighChild Processdist/commands/build.js
HighShell
HighRuntime Package Installdist/commands/build.js
LowScripts Present
LowFilesystem