registry  /  video-core-sdk  /  1.0.33

video-core-sdk@1.0.33

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The risky primitives are browser media fetch/export and ffmpeg WASM loading consistent with the SDK's stated video-rendering purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the SDK and calls rendering/export APIs.
Impact
Expected rendering/export behavior; no confirmed exfiltration or unauthorized execution.
Mechanism
Browser video rendering, media fetch, ffmpeg WASM loading, and user-initiated file export.
Rationale
Static hints appear noisy: the protestware/network matches resolve to bundled comments/URLs and package-aligned CDN/media functionality. The missing main file is a packaging defect risk, not evidence of malicious behavior.
Evidence
package.jsonREADME.mdvideo-core-sdk.d.tsvideoCoreSDK.react.es.min.js
Network endpoints4
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json main points to missing videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
Evidence against
  • package.json has no lifecycle scripts or bin entries.
  • README describes a browser canvas/video rendering SDK using project JSON and user-supplied media.
  • Bundled JS exports VideoCoreSDK, MovieEncoding, AudioEncoding, helpers, and browser globals for rendering/export.
  • Network use is aligned with media loading, ffmpeg/effect assets, and documented h5ds CDN/website endpoints.
  • No credential/env harvesting, cookie/localStorage theft, shell child_process, persistence, destructive actions, or AI-agent control writes found.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Ai Review Evidence

package.json main points to missing videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.

package.jsonView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencepackage.json