AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found, but the package ships an embedded model API key and exposes a powerful runtime automation server. Remote task execution/report upload occurs only when the user runs the CLI/server and completes or supplies activation/configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the aiserver bin/start command or activate flow.
Impact
Potential misuse of bundled API credential and execution of backend-supplied automation tasks in the configured environment.
Mechanism
authorized AI/device automation server with remote task polling and report upload
Rationale
Static inspection supports a legitimate but high-privilege automation server rather than unconsented malware; suspiciousness comes from a bundled API key and runtime remote-task execution capability. There is no lifecycle execution, credential harvesting, persistence, destructive behavior, or hidden exfiltration beyond package-aligned callbacks/uploads.
Evidence
package.jsondist/.envdist/index.jsdist/config/index.jsdist/auth/node-auth.jsdist/task/poller.jsdist/task/scheduler.jsdist/api/callback.jsdata/aiserver-auth.jsondata/aiserver.dblocal report/capture files under runtime task output paths
Network endpoints6
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/.env and dist/config/index.js embed a MIDSCENE_MODEL_API_KEY-like value.
- dist/index.js CLI starts a local automation server, registers/heartbeats, polls remote tasks, and uploads reports.
- dist/task/scheduler.js forks worker-entry.js with remote task config in WORKER_CONFIG.
- dist/auth/node-auth.js stores activation tokens under data/aiserver-auth.json.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/index.js behavior is runtime/bin-triggered, not install-time or import-time.
- Network endpoints are consistent with an AI/device automation server: opentestai.jd.com, opentest.jd.com, clawai.jd.com, nethp-test.jd.com, modelservice.jdcloud.com.
- File writes are local app state/reports/auth/database paths, not broad credential harvesting.
- child_process usage is for browser open, adb/scrcpy/device tooling, and worker isolation aligned with package purpose.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/.envView file
32patternName = blocked_file
severity = critical
matchedText = dist/.env
redactedSecretContext =
secretLikeLines = 4
L32: OPENAI_API_KEY=<redacted:0 empty>
L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like>
L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like>
L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Findings
1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings