registry  /  @aiscene/aiserver  /  1.8.9

@aiscene/aiserver@1.8.9

AI automation server with device management, task scheduling, and debug capabilities

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found, but the package ships an embedded model API key and exposes a powerful runtime automation server. Remote task execution/report upload occurs only when the user runs the CLI/server and completes or supplies activation/configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the aiserver bin/start command or activate flow.
Impact
Potential misuse of bundled API credential and execution of backend-supplied automation tasks in the configured environment.
Mechanism
authorized AI/device automation server with remote task polling and report upload
Rationale
Static inspection supports a legitimate but high-privilege automation server rather than unconsented malware; suspiciousness comes from a bundled API key and runtime remote-task execution capability. There is no lifecycle execution, credential harvesting, persistence, destructive behavior, or hidden exfiltration beyond package-aligned callbacks/uploads.
Evidence
package.jsondist/.envdist/index.jsdist/config/index.jsdist/auth/node-auth.jsdist/task/poller.jsdist/task/scheduler.jsdist/api/callback.jsdata/aiserver-auth.jsondata/aiserver.dblocal report/capture files under runtime task output paths
Network endpoints6
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1ssa.jd.com/sso/login

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/.env and dist/config/index.js embed a MIDSCENE_MODEL_API_KEY-like value.
  • dist/index.js CLI starts a local automation server, registers/heartbeats, polls remote tasks, and uploads reports.
  • dist/task/scheduler.js forks worker-entry.js with remote task config in WORKER_CONFIG.
  • dist/auth/node-auth.js stores activation tokens under data/aiserver-auth.json.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/index.js behavior is runtime/bin-triggered, not install-time or import-time.
  • Network endpoints are consistent with an AI/device automation server: opentestai.jd.com, opentest.jd.com, clawai.jd.com, nethp-test.jd.com, modelservice.jdcloud.com.
  • File writes are local app state/reports/auth/database paths, not broad credential harvesting.
  • child_process usage is for browser open, adb/scrcpy/device tooling, and worker isolation aligned with package purpose.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 73 file(s), 764 KB of source, external domains: 127.0.0.1, autobots-bk.jd.local, clawai.jd.com, modelservice.jdcloud.com, nethp-test.jd.com, opentest.jd.com, opentestai.jd.com, proxy-pc.jd.com, ssa.jd.com, storage.jd.com

Source & flagged code

1 flagged · loading source
dist/.envView file
32patternName = blocked_file severity = critical matchedText = dist/.env redactedSecretContext = secretLikeLines = 4 L32: OPENAI_API_KEY=<redacted:0 empty> L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like> L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like> L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/.envView on unpkg · L32

Findings

1 Critical2 Medium4 Low
CriticalCritical Secretdist/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings