AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network and token storage support the advertised Homebridge SmartThings/Samsung AC integration.
Static reason
One or more suspicious static signals were detected.
Trigger
Homebridge loads the platform and user config enables SmartThings or legacy AC devices.
Impact
Controls configured Samsung devices and stores user OAuth tokens locally for plugin operation; no evidence of unconsented exfiltration or install-time mutation.
Mechanism
OAuth token exchange/storage, SmartThings REST calls, local OAuth callback server, configured LAN TLS AC control
Rationale
Static inspection shows a normal Homebridge plugin whose suspicious primitives are aligned with SmartThings OAuth/API access and legacy Samsung AC TLS control. The bundled private key is used as a device client certificate and there is no install-time execution, credential harvesting beyond user OAuth flow, exfiltration, shell execution, or persistence mechanism.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/auth/OAuthServer.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jslib/accessories/SmartAC.jslib/accessories/Laundry.jsconfig.schema.jsoncert/cert.pemapi.user.persistPath()/smartthings_km81_token.jsonapi.user.persistPath()/smartthings_km81_token.json.tmp
Network endpoints6
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorizelocalhost:8999configured legacy AC IP:8888SmartThings webhook confirmationUrl
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- cert/cert.pem contains a private key/certificate used as the default Legacy AC TLS client cert.
- lib/auth/OAuthServer.js starts a local HTTP OAuth callback server and follows SmartThings webhook confirmationUrl values.
- lib/api/SmartThingsClient.js stores OAuth tokens under Homebridge persistPath as smartthings_km81_token.json.
Evidence against
- package.json has no lifecycle scripts or bin entries; main is index.js Homebridge platform registration only.
- Network use is package-aligned: SmartThings API/OAuth and configured Samsung AC LAN TLS endpoints.
- No child_process, eval/vm/Function, dynamic code loading, npm script execution, persistence outside Homebridge accessories, or AI-agent config writes found.
- Token file reads/writes are limited to api.user.persistPath()/smartthings_km81_token.json with mode 0600 and cleanup of temp files.
- cert/cert.pem is read for legacy Samsung AC TLS auth; no code exfiltrates it or harvests unrelated files.
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcecert/cert.pemView file
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings