registry  /  @aiscene/aiserver  /  1.8.7

@aiscene/aiserver@1.8.7

AI automation server with device management, task scheduling, and debug capabilities

AI Security Review

scanned 3d ago · by lpm-firewall-ai

User-started automation server can poll backend tasks that execute browser/device automation, including runCode via AsyncFunction. It also exposes debug/workspace APIs for file edits, git operations, and shell commands, guarded but high-risk if exposed.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `aiserver` / `node dist/index.js` and authorizes or uses the web/debug API.
Impact
Dangerous dual-use runtime capability; no hidden install-time malware confirmed.
Mechanism
runtime automation server with remote task polling and local workspace command APIs
Attack narrative
No hidden install-time payload was found. The real risk is runtime: after the user starts and authorizes the server, it registers to configured JD endpoints, polls tasks, forks workers, and can execute backend-provided runCode/browser/device actions. Its web API also includes workspace file and shell controls exposed by the dashboard. These capabilities appear intended for an AI automation server but are high-risk if exposed or misused.
Rationale
Source inspection supports a suspicious/warn verdict for exposed credentials and dangerous runtime control surfaces, but not malicious blocking: execution is user-invoked, package-aligned, and gated by activation/debug workflows rather than hidden lifecycle behavior.
Evidence
package.jsondist/index.jsdist/config/index.jsdist/.envdist/task/poller.jsdist/task/scheduler.jsdist/executor/code-executor.jsdist/executor/cli-executor.jsdist/web/server.jsdist/auth/node-auth.jsdata/aiserver-auth.jsondata/aiserver.dbtmp/captures/*.jsonuser-selected workspace files
Network endpoints6
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/web/server.js exposes /api/code-workspace/shell, file write/edit, git clone/branch endpoints on 0.0.0.0 with permissive CORS and only Origin/approved-request guards.
  • dist/config/index.js and dist/.env contain a hardcoded JDCloud model API key-like default used in model env config.
Evidence against
  • package.json has no install/preinstall/postinstall hooks; entrypoint runs only when CLI/main is invoked.
  • dist/index.js requires browser/activate flow before node registration, device heartbeat, task polling, and debug services.
  • Network activity matches automation role: register/heartbeat, task polling, report upload, device heartbeat, model APIs.
  • File writes are runtime state/report/workspace operations, not install-time drops or persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 73 file(s), 757 KB of source, external domains: 127.0.0.1, autobots-bk.jd.local, clawai.jd.com, modelservice.jdcloud.com, nethp-test.jd.com, opentest.jd.com, opentestai.jd.com, proxy-pc.jd.com, ssa.jd.com, storage.jd.com

Source & flagged code

1 flagged · loading source
dist/.envView file
32patternName = blocked_file severity = critical matchedText = dist/.env redactedSecretContext = secretLikeLines = 4 L32: OPENAI_API_KEY=<redacted:0 empty> L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like> L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like> L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/.envView on unpkg · L32

Findings

1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings