registry  /  @aiscene/aiserver  /  1.8.8

@aiscene/aiserver@1.8.8

AI automation server with device management, task scheduling, and debug capabilities

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked AI/device automation server with local debug services and backend callbacks; the bundled model API key is sensitive-looking packaging hygiene risk but not malware by itself.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the aiserver bin/start command or activation command.
Impact
Runs automation tasks and sends task status, reports, device heartbeats, and auth heartbeats to configured service endpoints; no unconsented install-time or import-time behavior identified.
Mechanism
User-invoked automation server with task polling, local auth/debug UI, code/task execution, and report/device callbacks.
Rationale
Static inspection shows broad but package-aligned automation functionality activated by explicit CLI/server use, with no lifecycle hook or covert install/import execution. The bundled API key/default endpoints are concerning hygiene, but the code paths use them for the advertised automation/model workflow rather than confirmed malicious exfiltration.
Evidence
package.jsondist/index.jsdist/.envdist/config/index.jsdist/auth/node-auth.jsdist/auth/browser-auth.jsdist/api/callback.jsdist/debug/websocket-server.jsdist/executor/code-executor.jsdist/device/detector.jsdata/aiserver-auth.json./data/aiserver.dbtask report files deleted after upload unless AISERVER_KEEP_LOCAL_REPORTS=truedebug captured request JSON files
Network endpoints11
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login127.0.0.1:<webPort>/api/auth/activate127.0.0.1:8899proxy-pc.jd.com/account/<proxyAccount>autobots-bk.jd.local/autobots/api/v1/searchAiSsestorage.jd.com/swm-plus/user-select/index.html

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/.env and dist/config/index.js contain a packaged MIDSCENE_MODEL_API_KEY-looking default value.
  • dist/executor/code-executor.js executes task-provided code with AsyncFunction as part of automation workflow.
  • dist/debug/websocket-server.js exposes local WebSocket/debug actions when the server is run.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; execution is via user-invoked bin/start only.
  • dist/index.js starts a documented AI/device automation server after local/browser auth, not import-time behavior.
  • dist/auth/node-auth.js writes only data/aiserver-auth.json after explicit activation/auth and uses it for package service headers.
  • Network activity is package-aligned: auth, node registration/heartbeat, task polling, report upload, device heartbeat, model API, and local debug UI.
  • child_process use is package-aligned for opening a browser, ADB/iOS device discovery, and worker/debug support.
  • No evidence of unrelated credential harvesting, covert exfiltration, persistence, destructive behavior, dependency confusion, or prompt/reviewer manipulation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 73 file(s), 757 KB of source, external domains: 127.0.0.1, autobots-bk.jd.local, clawai.jd.com, modelservice.jdcloud.com, nethp-test.jd.com, opentest.jd.com, opentestai.jd.com, proxy-pc.jd.com, ssa.jd.com, storage.jd.com

Source & flagged code

1 flagged · loading source
dist/.envView file
32patternName = blocked_file severity = critical matchedText = dist/.env redactedSecretContext = secretLikeLines = 4 L32: OPENAI_API_KEY=<redacted:0 empty> L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like> L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like> L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/.envView on unpkg · L32

Findings

1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings