AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked AI/device automation server with local debug services and backend callbacks; the bundled model API key is sensitive-looking packaging hygiene risk but not malware by itself.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the aiserver bin/start command or activation command.
Impact
Runs automation tasks and sends task status, reports, device heartbeats, and auth heartbeats to configured service endpoints; no unconsented install-time or import-time behavior identified.
Mechanism
User-invoked automation server with task polling, local auth/debug UI, code/task execution, and report/device callbacks.
Rationale
Static inspection shows broad but package-aligned automation functionality activated by explicit CLI/server use, with no lifecycle hook or covert install/import execution. The bundled API key/default endpoints are concerning hygiene, but the code paths use them for the advertised automation/model workflow rather than confirmed malicious exfiltration.
Evidence
package.jsondist/index.jsdist/.envdist/config/index.jsdist/auth/node-auth.jsdist/auth/browser-auth.jsdist/api/callback.jsdist/debug/websocket-server.jsdist/executor/code-executor.jsdist/device/detector.jsdata/aiserver-auth.json./data/aiserver.dbtask report files deleted after upload unless AISERVER_KEEP_LOCAL_REPORTS=truedebug captured request JSON files
Network endpoints11
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login127.0.0.1:<webPort>/api/auth/activate127.0.0.1:8899proxy-pc.jd.com/account/<proxyAccount>autobots-bk.jd.local/autobots/api/v1/searchAiSsestorage.jd.com/swm-plus/user-select/index.html
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/.env and dist/config/index.js contain a packaged MIDSCENE_MODEL_API_KEY-looking default value.
- dist/executor/code-executor.js executes task-provided code with AsyncFunction as part of automation workflow.
- dist/debug/websocket-server.js exposes local WebSocket/debug actions when the server is run.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; execution is via user-invoked bin/start only.
- dist/index.js starts a documented AI/device automation server after local/browser auth, not import-time behavior.
- dist/auth/node-auth.js writes only data/aiserver-auth.json after explicit activation/auth and uses it for package service headers.
- Network activity is package-aligned: auth, node registration/heartbeat, task polling, report upload, device heartbeat, model API, and local debug UI.
- child_process use is package-aligned for opening a browser, ADB/iOS device discovery, and worker/debug support.
- No evidence of unrelated credential harvesting, covert exfiltration, persistence, destructive behavior, dependency confusion, or prompt/reviewer manipulation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/.envView file
32patternName = blocked_file
severity = critical
matchedText = dist/.env
redactedSecretContext =
secretLikeLines = 4
L32: OPENAI_API_KEY=<redacted:0 empty>
L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like>
L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like>
L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Findings
1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings