registry  /  homebridge-smartthings-km81  /  1.8.18

homebridge-smartthings-km81@1.8.18

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime code implements a Homebridge platform for Samsung SmartThings and legacy AC devices; one webhook helper can fetch a caller-provided HTTPS confirmation URL but no exfiltration or install-time abuse is present.

Static reason
One or more suspicious static signals were detected.
Trigger
Homebridge runtime after user configures devices or OAuth redirect/webhook handling
Impact
Controls configured Samsung devices and stores SmartThings OAuth tokens locally; no evidence of unauthorized data theft, persistence, or remote payload execution.
Mechanism
Homebridge device integration with OAuth token storage and device command polling
Rationale
Static inspection shows expected Homebridge SmartThings/legacy AC behavior with package-aligned network access and local token persistence, not malicious install/import-time execution or exfiltration. The bundled private key and webhook confirmation fetch are security-sensitive but explained by the legacy AC/OAuth flow and do not establish malicious intent.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/auth/OAuthServer.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jslib/accessories/SmartAC.jslib/accessories/Laundry.jsconfig.schema.jsoncert/cert.pemsmartthings_km81_token.jsonsmartthings_km81_token.json.tmp
Network endpoints5
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorizeconfigured legacy AC IP:8888POST-supplied confirmationUrl via https.get

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • lib/auth/OAuthServer.js accepts POST webhook confirmation and performs https.get to supplied confirmationUrl.
  • cert/cert.pem contains a bundled Samsung legacy AC client private key/certificate used by LegacyAC.
Evidence against
  • package.json has no lifecycle scripts or bin entries; main is index.js Homebridge registration only.
  • Network use is package-aligned: SmartThings OAuth/API and configured legacy AC device TLS.
  • SmartThings tokens are read/written only under api.user.persistPath() as smartthings_km81_token.json with 0600 tmp write and rename.
  • No child_process, eval/vm/Function, dynamic remote require, native binary loading, or install-time mutation found.
  • Accessory registration/unregistration is confined to Homebridge platform APIs at runtime.
  • Bundled cert is loaded only when user configures legacyAc and may be overridden by certPath/keyPath.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 114 KB of source, external domains: api.smartthings.com

Source & flagged code

2 flagged · loading source
cert/cert.pemView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

cert/cert.pemView on unpkg · L5
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in cert/cert.pem

cert/cert.pemView on unpkg · L5

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings