AI Audit: Findings and Recommendations

[koxon]

Summary

Two-pass security and operational audit of CloudTranscode-Lambda by the Backend Developer AI agent.

• FINDINGS.md: 21 findings across Critical (3), High (5), Medium (6), Low (7) severity levels, plus 4 agent skill improvements and 5 positive observations
• CLAUDE.md: Comprehensive rewrite with Lambda function documentation, FFmpeg integration details, deployment notes, security issues cross-referenced to FINDINGS.md, and corrected gotchas

Key findings:

• Critical: Node.js 0.10.33 runtime is EOL (cannot deploy), FFmpeg downloaded over HTTP (supply-chain risk), function acknowledged as unreliable by own README
• High: Path traversal via unsanitized S3 key, logs:* IAM over-privilege, temp files never cleaned, partial download (Range header) likely root cause of intermittent failures, all dependencies severely outdated
• Primary recommendation: Formally deprecate this repo in favor of CloudTranscode ECS workers

Root cause hypothesis for intermittent failures:

The downloadStream() function uses Range: bytes=0-1000000 which truncates video downloads to ~1 MB. This works for small/low-bitrate videos but fails for larger ones -- explaining why "some videos work though."

Test plan

• Review FINDINGS.md for accuracy against codebase
• Verify CLAUDE.md correctly documents current behavior
• Decide: deprecate repo or modernize function
• If keeping: address Critical and High findings before any deployment
• Check if Lambda is still wired to S3 events in any AWS account

🤖 Generated with Claude Code