registry  /  video-core-sdk  /  1.0.18

video-core-sdk@1.0.18

无界云剪MP4渲染内核,基于webcodes + ffmpeg + webgl开发,纯前端MP4视频的编解码,MP3混音。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Observed network and file APIs are browser SDK behavior for loading media/assets and saving rendered video after user/runtime invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports SDK and calls rendering/encoding APIs
Impact
No confirmed unauthorized impact; package may fail default import because manifest main references a missing file
Mechanism
Browser video rendering/encoding library
Rationale
Static inspection shows a bundled browser video SDK with package-aligned network/resource loading and user-invoked export/save functionality, not malware. The scanner's protestware/network hints appear to be noisy matches from bundled shader/source comments and documented website/CDN URLs.
Evidence
package.jsonREADME.mdvideoCoreSDK.react.es.min.js
Network endpoints5
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.comvideo.h5ds.com/docs/sdk/core.html

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json main points to missing videoCoreSDK.react.es.js while package contains videoCoreSDK.react.es.min.js
Evidence against
  • package.json has no lifecycle scripts or bin entries
  • README describes a front-end video/WebCodecs/ffmpeg/WebGL SDK
  • videoCoreSDK.react.es.min.js exports React/browser video rendering and encoding APIs
  • fetch usage downloads caller-provided media/ffmpeg assets for video processing
  • Function("return this") appears in bundled library global detection, not payload execution
  • No credential/env harvesting, install-time execution, shell, persistence, or destructive behavior found
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.79 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Ai Review Evidence

package.json main points to missing videoCoreSDK.react.es.js while package contains videoCoreSDK.react.es.min.js

package.jsonView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencepackage.json