registry  /  video-core-sdk  /  1.0.41

video-core-sdk@1.0.41

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a bundled browser video SDK that fetches media/CDN assets and can write exported video through user-invoked browser/server rendering flows.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports SDK and invokes rendering/export APIs.
Impact
Expected video rendering/export behavior; no confirmed credential theft, install-time execution, or persistence.
Mechanism
Browser media rendering, asset fetching, and ffmpeg WASM export helpers
Rationale
Static inspection found a large minified browser SDK with package-aligned network and media/export APIs, but no install-time code, exfiltration, credential/file harvesting, destructive behavior, or persistence. Scanner protestware/network labels are noisy against bundled shader/library comments and expected CDN/media functionality.
Evidence
package.jsonvideo-core-sdk.jsREADME.md
Network endpoints5
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.comvideo.h5ds.com/docs/sdk/core.html

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • video-core-sdk.js contains browser fetch/XMLHttpRequest and ffmpeg WASM file APIs.
  • video-core-sdk.js assigns exports to window.VideoCoreSDKExport at import time.
Evidence against
  • package.json has no lifecycle scripts and only main: video-core-sdk.js.
  • README.md describes a browser video rendering SDK using WebCodecs, ffmpeg, and WebGL.
  • Network URLs are package-aligned CDN/docs/resources: cdn.h5ds.com and video.h5ds.com.
  • No child_process, credential harvesting, persistence, destructive filesystem access, or AI-agent control-surface writes found.
  • The protestware hint appears attributable to bundled shader/comment text and unrelated URL strings, not active sabotage logic.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Critical1 Medium5 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidence