AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package exposes a user-invoked automation server that can poll remote tasks and execute supplied automation/code. This is powerful and includes a bundled model API key, but the behavior is visible and aligned with the package purpose.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs `aiserver` or `node dist/index.js` and completes/has node authorization
Impact
Executes configured automation tasks, uses model credentials, stores node auth/SQLite data, uploads reports or capture files to configured callbacks.
Mechanism
remote task polling, forked worker execution, AsyncFunction code executor, report upload
Rationale
Source inspection shows no install-time/import-time malware, persistence, credential harvesting, or covert exfiltration, but the package intentionally provides remotely driven code/automation execution and ships a hardcoded model key. That unresolved dangerous capability warrants warning rather than a publish block.
Evidence
package.jsondist/.envdist/config/index.jsdist/task/poller.jsdist/task/scheduler.jsdist/executor/worker-entry.jsdist/executor/code-executor.jsdist/executor/cli-executor.jsdist/api/callback.jsdist/auth/node-auth.jsdata/aiserver-auth.jsondata/aiserver.dbtmp/captures/capture_task_<taskId>_<timestamp>.json
Network endpoints5
opentestai.jd.comopentest.jd.comclawai.jd.comnethp-test.jd.commodelservice.jdcloud.com/v1
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/.env and dist/config/index.js contain a hardcoded MIDSCENE_MODEL_API_KEY-like value and default JD/JDCloud endpoints.
- dist/task/poller.js fetches tasks from configured server and dist/task/scheduler.js forks worker-entry.js to execute them.
- dist/executor/code-executor.js and dist/executor/cli-executor.js execute task-provided JavaScript with AsyncFunction.
- dist/api/callback.js uploads report/capture files to configured callbacks and may delete uploaded local reports.
Evidence against
- package.json has no lifecycle install hooks; main/bin runs only when user invokes the server.
- Node auth is browser/activation-gated and stored in data/aiserver-auth.json with mode 0600.
- Remote task execution and report upload are package-aligned for an AI automation server, not hidden install/import behavior.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/.envView file
32patternName = blocked_file
severity = critical
matchedText = dist/.env
redactedSecretContext =
secretLikeLines = 4
L32: OPENAI_API_KEY=<redacted:0 empty>
L47: MIDSCENE_MODEL_API_KEY=<redacted:39 token-like>
L48: MIDSCENE_MODEL_NAME=<redacted:29 token-like>
L49: MIDSCENE_MODEL_FAMILY=<redacted:22 token-like>
Critical
dist/task/scheduler.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @aiscene/aiserver@1.8.9
matchedIdentity = npm:QGFpc2NlbmUvYWlzZXJ2ZXI:1.8.9
similarity = 0.844
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/task/scheduler.jsView on unpkgFindings
1 Critical1 High2 Medium4 Low
CriticalCritical Secretdist/.env
HighPrevious Version Dangerous Deltadist/task/scheduler.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings