registry  /  video-core-sdk  /  1.0.20

video-core-sdk@1.0.20

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are browser/media SDK functionality and require application/user invocation, not install-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application imports/uses the SDK to render or export video in a browser-like environment.
Impact
Expected video rendering/export behavior; no source-grounded exfiltration or compromise path found.
Mechanism
frontend media rendering, asset fetch, ffmpeg wasm, user-selected file export
Rationale
Static inspection shows a bundled frontend video SDK with package-aligned network access and user-invoked file export, while scanner protestware/network hints appear to be noisy matches from URLs/comments and media code. No concrete malicious install-time, import-time, exfiltration, persistence, or destructive behavior was found.
Evidence
package.jsonREADME.mdvideoCoreSDK.react.es.min.js
Network endpoints5
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.comvideo.h5ds.com/docs/sdk/core.html

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Browser bundle uses fetch/FileSystem APIs for media loading, ffmpeg wasm loading, and user-initiated export output.
  • Manifest main points to videoCoreSDK.react.es.js, but package contains videoCoreSDK.react.es.min.js.
Evidence against
  • package.json has no lifecycle scripts or bin entries.
  • README describes a frontend video rendering SDK using Canvas, WebCodecs, ffmpeg, and WebGL.
  • videoCoreSDK.react.es.min.js exports React/browser video rendering classes and attaches window.VideoCoreSDKExport.
  • Network URLs are package-aligned CDN/docs/assets: h5ds.com/cdn.h5ds.com plus shader/source attribution comments.
  • No credential/env harvesting, child_process, persistence, destructive install behavior, or AI-agent control writes found.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.79 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Critical1 Medium5 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidence