registry  /  homebridge-smartthings-km81  /  1.8.19

homebridge-smartthings-km81@1.8.19

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network and token storage support the advertised Homebridge SmartThings/Samsung AC integration.

Static reason
One or more suspicious static signals were detected.
Trigger
Homebridge loads the platform and user config enables SmartThings or legacy AC devices.
Impact
Controls configured Samsung devices and stores user OAuth tokens locally for plugin operation; no evidence of unconsented exfiltration or install-time mutation.
Mechanism
OAuth token exchange/storage, SmartThings REST calls, local OAuth callback server, configured LAN TLS AC control
Rationale
Static inspection shows a normal Homebridge plugin whose suspicious primitives are aligned with SmartThings OAuth/API access and legacy Samsung AC TLS control. The bundled private key is used as a device client certificate and there is no install-time execution, credential harvesting beyond user OAuth flow, exfiltration, shell execution, or persistence mechanism.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/auth/OAuthServer.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jslib/accessories/SmartAC.jslib/accessories/Laundry.jsconfig.schema.jsoncert/cert.pemapi.user.persistPath()/smartthings_km81_token.jsonapi.user.persistPath()/smartthings_km81_token.json.tmp
Network endpoints6
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorizelocalhost:8999configured legacy AC IP:8888SmartThings webhook confirmationUrl

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • cert/cert.pem contains a private key/certificate used as the default Legacy AC TLS client cert.
  • lib/auth/OAuthServer.js starts a local HTTP OAuth callback server and follows SmartThings webhook confirmationUrl values.
  • lib/api/SmartThingsClient.js stores OAuth tokens under Homebridge persistPath as smartthings_km81_token.json.
Evidence against
  • package.json has no lifecycle scripts or bin entries; main is index.js Homebridge platform registration only.
  • Network use is package-aligned: SmartThings API/OAuth and configured Samsung AC LAN TLS endpoints.
  • No child_process, eval/vm/Function, dynamic code loading, npm script execution, persistence outside Homebridge accessories, or AI-agent config writes found.
  • Token file reads/writes are limited to api.user.persistPath()/smartthings_km81_token.json with mode 0600 and cleanup of temp files.
  • cert/cert.pem is read for legacy Samsung AC TLS auth; no code exfiltrates it or harvests unrelated files.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 116 KB of source, external domains: api.smartthings.com

Source & flagged code

2 flagged · loading source
cert/cert.pemView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

cert/cert.pemView on unpkg · L5
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in cert/cert.pem

cert/cert.pemView on unpkg · L5

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings