AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package provides user-invoked BLE/TCP/MQTT device-management functions; networking occurs only when callers invoke connection methods.
Static reason
One or more suspicious static signals were detected.
Trigger
Caller invokes device connection, MQTT, TCP, or OTA APIs.
Impact
Can communicate with configured Jiabaida device services and connected devices as part of its stated runtime role; no unconsented host mutation or credential exfiltration chain was found.
Mechanism
Device provisioning, MQTT command relay, and BLE/TCP battery-management protocol handling.
Rationale
Static inspection shows a device-management library with explicit runtime networking and firmware handling, not install-time or stealth behavior. The embedded key and credential logging are security-quality concerns, but do not establish malicious intent or a concrete exfiltration chain.
Evidence
package.jsonsrc/index.jssrc/core/mqttServer.jssrc/core/tcpServer.jssrc/core/OtaUpgrade.jssrc/core/rsaEncrypt.jssrc/core/Transfer.js
Network endpoints3
wxs://mqtt.jiabaida.com/mqttcloud.jiabaida.com/bluetooth/server/device/networkModelcloud.jiabaida.com:10241
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with medium false-positive risk.
Evidence for block
- `src/core/mqttServer.js` decrypts provisioning credentials and opens an MQTT connection only in `connectMqtt(deviceObj)`.
- `src/core/mqttServer.js` accepts platform MQTT commands and forwards them to the connected device protocol.
- `src/core/rsaEncrypt.js` embeds an RSA private key, explaining the scanner's possible-secret signal.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook or executable entrypoint.
- `src/index.js` only re-exports modules; import-time construction does not connect or issue requests.
- MQTT and HTTP endpoints are Jiabaida device-service endpoints and are invoked through explicit runtime methods.
- No source use of shell execution, eval/vm, environment harvesting, Node filesystem writes, agent configuration, or exfiltration primitives was found.
- OTA file access in `src/core/OtaUpgrade.js` reads user-selected firmware for device upgrade.
Behavioral surface
ChildProcessFilesystem
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/esm/core/mqttServer.jsView file
1patternName = generic_password
severity = medium
line = 1
matchedText = import S...er};
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/esm/core/mqttServer.jsView on unpkg · L1dist/cjs/core/mqttServer.jsView file
1patternName = generic_password
severity = medium
line = 1
matchedText = "use str...ver;
Medium
Secret Pattern
Hardcoded password in dist/cjs/core/mqttServer.js
dist/cjs/core/mqttServer.jsView on unpkg · L1src/core/mqttServer.jsView file
96patternName = generic_password
severity = medium
line = 96
matchedText = console....ord)
Medium
Findings
3 Medium5 Low
MediumSecret Patterndist/esm/core/mqttServer.js
MediumSecret Patterndist/cjs/core/mqttServer.js
MediumSecret Patternsrc/core/mqttServer.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings