registry  /  video-core-sdk  /  1.0.49

video-core-sdk@1.0.49

Core-SDK 是渲染部分的 SDK,传入工程数据(JSON)可以将数据绘制到 Canvas 上。

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a browser video rendering/export SDK with asset fetching and user-invoked media export behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime import and user calls such as VideoCoreSDK.init(), loadFFmpeg(), or MovieEncoding.run().
Impact
Expected rendering/export behavior; no evidence of exfiltration, persistence, or unauthorized mutation.
Mechanism
Browser media rendering, asset fetch, ffmpeg WASM processing, and user-directed export
Rationale
Static inspection shows a bundled front-end video SDK whose network and file-like primitives are aligned with loading media/assets and exporting generated video/audio. There are no lifecycle hooks, credential collection, install/import-time mutation, or concrete malicious behavior.
Evidence
package.jsonREADME.mdvideo-core-sdk.js
Network endpoints4
cdn.h5ds.comcdn.h5ds.com/assets/effectcanvas/cdn.h5ds.com/assets/images/404.pngvideo.h5ds.com

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • video-core-sdk.js references fetch/XMLHttpRequest and h5ds CDN URLs for media/assets.
  • video-core-sdk.js includes ffmpeg WASM helpers using writeFile/readFile/deleteFile on the ffmpeg virtual filesystem.
  • video-core-sdk.js uses browser save/download APIs for exported mp4/mp3 output.
Evidence against
  • package.json has no lifecycle scripts or bin entry; main is video-core-sdk.js.
  • README.md describes a front-end video rendering SDK using canvas/webgl/webcodecs/ffmpeg.
  • Network URLs are package-aligned assets/docs/CDN endpoints: cdn.h5ds.com and video.h5ds.com.
  • No child_process usage, credential/env harvesting, persistence, destructive project-file writes, or install-time execution found.
  • Protestware keywords are noisy matches inside minified rendering code names like stop/war/delete/remove, not political or sabotage logic.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.80 MB of source, external domains: cdn.h5ds.com, mths.be

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Critical1 Medium6 Low
CriticalProtestware
MediumNetwork
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidence
LowAi Review Evidence