registry  /  video-core-sdk  /  1.0.21

video-core-sdk@1.0.21

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser video SDK; network and file APIs are used for asset loading, FFmpeg WASM loading, and user-initiated media export.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Import/use of SDK rendering or export APIs by an application user.
Impact
Expected CDN/resource fetches and user-chosen video/audio export; no unconsented exfiltration or install-time execution identified.
Mechanism
browser media rendering and export helpers
Rationale
Static source inspection supports a clean verdict: the suspicious primitives are consistent with a frontend video rendering/export SDK and require application/user invocation. The missing declared main file is a packaging defect, not evidence of malware.
Evidence
package.jsonREADME.mdvideo-core-sdk.d.tsvideoCoreSDK.react.es.min.js
Network endpoints5
video.h5ds.comvideo.h5ds.com/docs/sdk/core.htmlcdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.png

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares missing main file videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
  • videoCoreSDK.react.es.min.js contains browser fetch, FFmpeg WASM, and save-file APIs that are powerful but package-aligned.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts or bin entries.
  • README describes a browser video rendering/export SDK using webcodes, ffmpeg, and webgl.
  • Network URLs are aligned with docs/CDN assets: video.h5ds.com and cdn.h5ds.com.
  • No credential/env/cookie/localStorage harvesting or beacon/WebSocket exfiltration found.
  • No child_process, fs require, persistence, destructive behavior, or AI-agent control writes found.
  • Protestware scan appears noisy; source matches are ordinary words/code, not sabotage logic.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Ai Review Evidence

package.json declares missing main file videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.

package.jsonView on unpkg

Findings

1 Critical1 Medium5 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencepackage.json
LowAi Review Evidence