registry  /  video-core-sdk  /  1.0.26

video-core-sdk@1.0.26

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a browser video rendering SDK with user-invoked media loading and encoding behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports the package and calls exported SDK APIs.
Impact
No credential harvesting, install-time execution, persistence, or destructive action identified.
Mechanism
browser media rendering and user-invoked asset fetches
Rationale
Static source inspection supports a benign browser video SDK; suspicious primitives are aligned with media loading/encoding and are user-invoked. The manifest main points to a missing non-minified filename, but that is a packaging quality issue rather than malicious behavior.
Evidence
package.jsonREADME.mdvideo-core-sdk.d.tsvideoCoreSDK.react.es.min.jstypes/react-pixi/utils/utils.d.ts
Network endpoints5
video.h5ds.comvideo.h5ds.com/docs/sdk/core.htmlcdn.h5ds.comcdn.h5ds.com/assets/images/404.pngcdn.h5ds.com/assets/effectcanvas/

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts, bin, dependencies, or install hooks.
    • Published files are README, types, package.json, and one bundled browser ESM file.
    • Bundle exports React/Pixi video rendering, encoding, FFmpeg helpers, and types matching README purpose.
    • Network use is fetch/CDN loading for media, workers, FFmpeg/effect assets, or user-provided URLs; no exfil endpoint found.
    • No child_process, fs file harvesting, process.env credential access, persistence, destructive behavior, or AI-agent control writes found.
    • Scanner protestware hint appears noisy; inspected source has no protest/destructive logic.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Critical1 Medium3 Low
    CriticalProtestware
    MediumNetwork
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings