AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime code implements a Homebridge platform for Samsung SmartThings and legacy AC devices; one webhook helper can fetch a caller-provided HTTPS confirmation URL but no exfiltration or install-time abuse is present.
Static reason
One or more suspicious static signals were detected.
Trigger
Homebridge runtime after user configures devices or OAuth redirect/webhook handling
Impact
Controls configured Samsung devices and stores SmartThings OAuth tokens locally; no evidence of unauthorized data theft, persistence, or remote payload execution.
Mechanism
Homebridge device integration with OAuth token storage and device command polling
Rationale
Static inspection shows expected Homebridge SmartThings/legacy AC behavior with package-aligned network access and local token persistence, not malicious install/import-time execution or exfiltration. The bundled private key and webhook confirmation fetch are security-sensitive but explained by the legacy AC/OAuth flow and do not establish malicious intent.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/auth/OAuthServer.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jslib/accessories/SmartAC.jslib/accessories/Laundry.jsconfig.schema.jsoncert/cert.pemsmartthings_km81_token.jsonsmartthings_km81_token.json.tmp
Network endpoints5
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorizeconfigured legacy AC IP:8888POST-supplied confirmationUrl via https.get
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- lib/auth/OAuthServer.js accepts POST webhook confirmation and performs https.get to supplied confirmationUrl.
- cert/cert.pem contains a bundled Samsung legacy AC client private key/certificate used by LegacyAC.
Evidence against
- package.json has no lifecycle scripts or bin entries; main is index.js Homebridge registration only.
- Network use is package-aligned: SmartThings OAuth/API and configured legacy AC device TLS.
- SmartThings tokens are read/written only under api.user.persistPath() as smartthings_km81_token.json with 0600 tmp write and rename.
- No child_process, eval/vm/Function, dynamic remote require, native binary loading, or install-time mutation found.
- Accessory registration/unregistration is confined to Homebridge platform APIs at runtime.
- Bundled cert is loaded only when user configures legacyAc and may be overridden by certPath/keyPath.
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcecert/cert.pemView file
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings