registry  /  video-core-sdk  /  1.0.39

video-core-sdk@1.0.39

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The observed network and file APIs are browser media loading, CDN fallback assets, ffmpeg wasm loading, and user-invoked export output for a video SDK.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime SDK initialization, media loading, loadFFmpeg, or video/audio export methods.
Impact
Expected resource download and user-directed video/audio output; no evidence of exfiltration or unauthorized mutation.
Mechanism
Browser media rendering/encoding with fetch/XMLHttpRequest and WebCodecs/ffmpeg-wasm.
Rationale
Static source inspection shows a large minified browser video SDK bundle whose suspicious primitives are aligned with media loading and export functionality. Scanner protestware/network hints appear noisy; no concrete malicious behavior was found.
Evidence
package.jsonREADME.mdvideo-core-sdk.js
Network endpoints5
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.comvideo.h5ds.com/docs/sdk/core.html

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts, bin, or install hooks; main is video-core-sdk.js.
    • README describes a browser video rendering SDK using Canvas/WebCodecs/WebGL/ffmpeg.
    • video-core-sdk.js is a minified browser bundle importing React and exporting VideoCoreSDK/MovieEncoding/loadFFmpeg.
    • Network use is package-aligned: media/resource fetches, CDN defaults, and ffmpeg wasm asset loading.
    • File writes are user/runtime export flows: showSaveFilePicker or caller-provided nodeFileStreamWrite for rendered video output.
    • No credential/env harvesting, npmrc/SSH access, child_process, persistence, destructive project writes, or AI-agent control-surface mutation found.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Critical1 Medium3 Low
    CriticalProtestware
    MediumNetwork
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings