registry  /  videospec  /  0.14.5

videospec@0.14.5

OpenSpec-Video (videospec) - A cinematic AI automation framework: structured narrative specs → production-ready media via multi-provider pipeline.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 109 file(s), 648 KB of source, external domains: 127.0.0.1, api.minimaxi.com, gemini.google.com, github.com, www.runninghub.cn

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/types/FrontmatterSchema.jsView file
3exports.ShotProductionFrontmatterSchema = exports.ShotDesignFrontmatterSchema = exports.ProjectFrontmatterSchema = exports.BaseFrontmatterSchema = exports.NodeMappingSchema = expor... L4: const zod_1 = require("zod"); L5: const Refs_1 = require("./Refs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/FrontmatterSchema.jsView on unpkg · L3
dist/commands/validate.jsView file
matchType = previous_version_dangerous_delta matchedPackage = videospec@0.14.3 matchedIdentity = npm:dmlkZW9zcGVj:0.14.3 similarity = 0.905 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/validate.jsView on unpkg

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/commands/validate.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/types/FrontmatterSchema.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings