AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser video SDK; network and file APIs are used for asset loading, FFmpeg WASM loading, and user-initiated media export.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Import/use of SDK rendering or export APIs by an application user.
Impact
Expected CDN/resource fetches and user-chosen video/audio export; no unconsented exfiltration or install-time execution identified.
Mechanism
browser media rendering and export helpers
Rationale
Static source inspection supports a clean verdict: the suspicious primitives are consistent with a frontend video rendering/export SDK and require application/user invocation. The missing declared main file is a packaging defect, not evidence of malware.
Evidence
package.jsonREADME.mdvideo-core-sdk.d.tsvideoCoreSDK.react.es.min.js
Network endpoints5
video.h5ds.comvideo.h5ds.com/docs/sdk/core.htmlcdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.png
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares missing main file videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
- videoCoreSDK.react.es.min.js contains browser fetch, FFmpeg WASM, and save-file APIs that are powerful but package-aligned.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts or bin entries.
- README describes a browser video rendering/export SDK using webcodes, ffmpeg, and webgl.
- Network URLs are aligned with docs/CDN assets: video.h5ds.com and cdn.h5ds.com.
- No credential/env/cookie/localStorage harvesting or beacon/WebSocket exfiltration found.
- No child_process, fs require, persistence, destructive behavior, or AI-agent control writes found.
- Protestware scan appears noisy; source matches are ordinary words/code, not sabotage logic.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Ai Review Evidence
package.json declares missing main file videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
package.jsonView on unpkgFindings
1 Critical1 Medium5 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencepackage.json
LowAi Review Evidence