AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The risky primitives are browser media fetch/export and ffmpeg WASM loading consistent with the SDK's stated video-rendering purpose.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the SDK and calls rendering/export APIs.
Impact
Expected rendering/export behavior; no confirmed exfiltration or unauthorized execution.
Mechanism
Browser video rendering, media fetch, ffmpeg WASM loading, and user-initiated file export.
Rationale
Static hints appear noisy: the protestware/network matches resolve to bundled comments/URLs and package-aligned CDN/media functionality. The missing main file is a packaging defect risk, not evidence of malicious behavior.
Evidence
package.jsonREADME.mdvideo-core-sdk.d.tsvideoCoreSDK.react.es.min.js
Network endpoints4
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json main points to missing videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
Evidence against
- package.json has no lifecycle scripts or bin entries.
- README describes a browser canvas/video rendering SDK using project JSON and user-supplied media.
- Bundled JS exports VideoCoreSDK, MovieEncoding, AudioEncoding, helpers, and browser globals for rendering/export.
- Network use is aligned with media loading, ffmpeg/effect assets, and documented h5ds CDN/website endpoints.
- No credential/env harvesting, cookie/localStorage theft, shell child_process, persistence, destructive actions, or AI-agent control writes found.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Ai Review Evidence
package.json main points to missing videoCoreSDK.react.es.js while only videoCoreSDK.react.es.min.js is present.
package.jsonView on unpkgFindings
1 Critical1 Medium4 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencepackage.json