registry  /  @baishuyun/ai-office  /  1.2.3

@baishuyun/ai-office@1.2.3

Baishuyunw AI 办公模式

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Runtime network calls support AI-office UI features such as bot listing and attachment transfer using caller-provided URLs/endpoints.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/runs the library in a host web app and invokes UI/plugin features.
Impact
No evidence of credential harvesting, persistence, destructive behavior, or unconsented lifecycle mutation.
Mechanism
browser-side React plugin/UI SDK with dynamic host-provided fetches
Rationale
Static inspection shows a normal React/TypeScript AI-office component/plugin package with no lifecycle execution and no hardcoded exfiltration or host persistence. The suspicious network and secret-pattern signals are explained by runtime feature fetches to caller-provided endpoints and bundled base64 UI images.
Evidence
package.jsonsrc/index.tssrc/sdk.tssdk.jssrc/lib/utils.tssrc/app/utils/attachments.tssrc/app/service/fetch-bots.tssrc/core/plugin-system/PluginManager.tssrc/plugin-sdk/plugin.tsscripts/validate-build.jsvite.config.tssrc/const/ui.ts

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/lib/utils.ts and src/app/utils/attachments.ts can download arbitrary user-provided attachment URLs and upload to a provided endpoint at runtime.
  • src/app/service/fetch-bots.ts fetches from a caller-provided apiEndpoint plus /agent/all-bots.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks or bin entries.
  • package.json exports browser/library builds only: dist/ai-office.js, dist/ai-office.umd.cjs, dist/sdk.js, and types/styles.
  • No child_process, eval/new Function, filesystem writes, homedir access, native binaries, or agent control-surface files found in source scans.
  • Network usage is package-aligned UI/file/agent functionality and uses caller-supplied endpoints rather than hardcoded exfiltration hosts.
  • The scanner secret-pattern hit is explained by bundled data:image base64 UI assets in src/const/ui.ts and dist bundles.
  • PluginManager loads built-in/external plugin objects inside the app API; no npm install-time registration or foreign AI-agent surface mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 253 file(s), 4.99 MB of source, external domains: github.com, jedwatson.github.io, json-schema.org, radix-ui.com, tailwindcss.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/index-DsVFpmkp.jsView file
2923patternName = generic_password severity = medium line = 2923 matchedText = password...4;",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index-DsVFpmkp.jsView on unpkg · L2923
dist/sdk.jsView file
2920patternName = generic_password severity = medium line = 2920 matchedText = password...4;",
Medium
Secret Pattern

Hardcoded password in dist/sdk.js

dist/sdk.jsView on unpkg · L2920
dist/ai-office.umd.cjsView file
5patternName = generic_password severity = medium line = 5 matchedText = url(data..."),`
Medium
Secret Pattern

Hardcoded password in dist/ai-office.umd.cjs

dist/ai-office.umd.cjsView on unpkg · L5

Findings

5 Medium4 Low
MediumSecret Patterndist/index-DsVFpmkp.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/sdk.js
MediumSecret Patterndist/ai-office.umd.cjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings