registry  /  tmg-media-player  /  0.0.3

tmg-media-player@0.0.3

A feature-rich, Web media player implementation for The Movie Garden initiative

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the browser entrypoint immediately initializes the player and loads remote CSS/scripts. Mutable CDN `@latest` dependencies can execute in the host page if their remote content changes; no local persistence or exfiltration was found.

Static reason
No blocking static signals were detected.
Trigger
Import `tmg-media-player` in a browser.
Impact
Remote CDN content runs with the embedding page's script privileges.
Mechanism
Import-time remote script/resource loading plus optional element-config fetch.
Rationale
The package is not demonstrably malicious, but unconditional loading of mutable remote scripts is a concrete unresolved remote-code execution risk for host pages. Warn rather than block because the endpoints and behavior are package-aligned and no malicious chain is present.
Evidence
package.jsondist/index.jsdist/chunk-HP2CI3HA.jsdist/tools/player.cjsdist/super.global.js
Network endpoints4
cdn.jsdelivr.net/npm/@t007/toast@latestcdn.jsdelivr.net/npm/@t007/input@latestcdn.jsdelivr.net/npm/@t007/dialog@latestcdn.jsdelivr.net/npm/tmg-media-player@latest/dist/index.min.css

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` imports bootstrap code at module load.
  • `dist/chunk-HP2CI3HA.js` injects CDN resources on browser import.
  • Bootstrap defaults use mutable `@latest` jsDelivr script URLs.
  • Media attachment fetches a `.json` URL supplied by a `tmg` element attribute.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No Node filesystem, child-process, credential, or AI-agent-control APIs found in distributed JS.
  • Observed fetch reads player configuration; no source shows credential/data exfiltration.
  • Remote loaders target declared player UI and streaming-library resources.
Behavioral surface
Source
ChildProcessDynamicRequireEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 926 file(s), 7.29 MB of source, external domains: cdn.jsdelivr.net, img.youtube.com, player.vimeo.com, www.gstatic.com, www.npmjs.com, www.youtube-nocookie.com, www.youtube.com

Source & flagged code

2 flagged · loading source
dist/super.global.jsView file
1100if (!sig) return win4.setTimeout(handler, timeout, ...args); L1101: const id = win4.setTimeout(() => (sig.removeEventListener("abort", kill), "string" === typeof handler ? new Function(handler) : handler(...args)), timeout), kill = () => win4.clear... L1102: return sig.addEventListener("abort", kill, { once: true }), id;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/super.global.jsView on unpkg · L1100
dist/tools/player.cjsView file
30// src/ts/consts/config.ts L31: var import_sia_reactor = require("sia-reactor"); L32:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/player.cjsView on unpkg · L30

Findings

2 Medium5 Low
MediumDynamic Requiredist/tools/player.cjs
MediumNetwork
LowScripts Present
LowEvaldist/super.global.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings