registry  /  @baishuyun/ai-office  /  1.1.0

@baishuyun/ai-office@1.1.0

Baishuyunw AI 办公模式

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Runtime network behavior is an AI office/chat UI using host-provided API endpoints and user-invoked attachment/voice features.

Static reason
One or more suspicious static signals were detected.
Trigger
Host application initializes AIOffice with apiEndpoint; users send chat messages, upload attachments, or start voice input.
Impact
Expected package-aligned network communication; no source evidence of exfiltration or persistence.
Mechanism
caller-configured chat, bot fetch, attachment upload/download, and ASR WebSocket
Rationale
Static inspection shows a React AI office/chat SDK with package-aligned, caller-configured network calls and no install/import-time malicious behavior. Suspicious scanner signals are explained by expected browser networking, process.env build replacement, and bundled image/base64 assets.
Evidence
package.jsonsrc/index.tssrc/app/components/ai-office/index.tsxsrc/app/hooks/useChatTransport.tssrc/app/service/fetch-bots.tssrc/app/utils/attachments.tssrc/app/hooks/use-voice-input.tsscripts/validate-build.jsvite.config.tsdist/index-Dk6eW5tc.js
Network endpoints4
${apiEndpoint}/common/connect${apiEndpoint}/agent/all-bots${apiEndpoint}/form/attachment/upload${apiEndpoint as ws}/asr

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks; build/dev scripts are not lifecycle execution.
    • src/index.ts only exports AIOffice components and plugin SDK types/utilities.
    • Network use is caller-configured: apiEndpoint is passed into AIOffice and used for /common/connect, /agent/all-bots, attachment upload, and ASR WebSocket.
    • File transfer helpers in src/app/utils/attachments.ts and src/lib/utils.ts download/upload user-provided attachment URLs/endpoints, not local filesystem secrets.
    • No child_process, eval/new Function, filesystem writes, persistence, credential harvesting, or AI-agent control-surface writes found in src/package scripts.
    • Scanner secret hit in dist/index-Dk6eW5tc.js corresponds to bundled data:image/png/base64 asset content, not a credential.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 251 file(s), 4.99 MB of source, external domains: github.com, jedwatson.github.io, json-schema.org, radix-ui.com, tailwindcss.com, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/index-Dk6eW5tc.jsView file
    2923patternName = generic_password severity = medium line = 2923 matchedText = password...4;",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index-Dk6eW5tc.jsView on unpkg · L2923
    dist/sdk.jsView file
    2920patternName = generic_password severity = medium line = 2920 matchedText = password...4;",
    Medium
    Secret Pattern

    Hardcoded password in dist/sdk.js

    dist/sdk.jsView on unpkg · L2920
    dist/ai-office.umd.cjsView file
    5patternName = generic_password severity = medium line = 5 matchedText = url(data..."),`
    Medium
    Secret Pattern

    Hardcoded password in dist/ai-office.umd.cjs

    dist/ai-office.umd.cjsView on unpkg · L5

    Findings

    5 Medium4 Low
    MediumSecret Patterndist/index-Dk6eW5tc.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/sdk.js
    MediumSecret Patterndist/ai-office.umd.cjs
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings