AI Security Review
scanned 3d ago · by lpm-firewall-aiUser-started automation server can poll backend tasks that execute browser/device automation, including runCode via AsyncFunction. It also exposes debug/workspace APIs for file edits, git operations, and shell commands, guarded but high-risk if exposed.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `aiserver` / `node dist/index.js` and authorizes or uses the web/debug API.
Impact
Dangerous dual-use runtime capability; no hidden install-time malware confirmed.
Mechanism
runtime automation server with remote task polling and local workspace command APIs
Attack narrative
No hidden install-time payload was found. The real risk is runtime: after the user starts and authorizes the server, it registers to configured JD endpoints, polls tasks, forks workers, and can execute backend-provided runCode/browser/device actions. Its web API also includes workspace file and shell controls exposed by the dashboard. These capabilities appear intended for an AI automation server but are high-risk if exposed or misused.
Rationale
Source inspection supports a suspicious/warn verdict for exposed credentials and dangerous runtime control surfaces, but not malicious blocking: execution is user-invoked, package-aligned, and gated by activation/debug workflows rather than hidden lifecycle behavior.
Evidence
package.jsondist/index.jsdist/config/index.jsdist/.envdist/task/poller.jsdist/task/scheduler.jsdist/executor/code-executor.jsdist/executor/cli-executor.jsdist/web/server.jsdist/auth/node-auth.jsdata/aiserver-auth.jsondata/aiserver.dbtmp/captures/*.jsonuser-selected workspace files
Network endpoints6
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/web/server.js exposes /api/code-workspace/shell, file write/edit, git clone/branch endpoints on 0.0.0.0 with permissive CORS and only Origin/approved-request guards.
- dist/config/index.js and dist/.env contain a hardcoded JDCloud model API key-like default used in model env config.
Evidence against
- package.json has no install/preinstall/postinstall hooks; entrypoint runs only when CLI/main is invoked.
- dist/index.js requires browser/activate flow before node registration, device heartbeat, task polling, and debug services.
- Network activity matches automation role: register/heartbeat, task polling, report upload, device heartbeat, model APIs.
- File writes are runtime state/report/workspace operations, not install-time drops or persistence.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/.envView file
32patternName = blocked_file
severity = critical
matchedText = dist/.env
redactedSecretContext =
secretLikeLines = 4
L32: OPENAI_API_KEY=<redacted:0 empty>
L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like>
L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like>
L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Findings
1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings