AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network behavior is limited to SmartThings OAuth/API requests and TLS control of a user-configured legacy AC; local writes are token persistence and an opt-in state dump.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Homebridge loads the configured platform; OAuth listener starts only when SmartThings authentication is needed.
Impact
Controls configured appliances and persists OAuth credentials/state locally as expected for the plugin.
Mechanism
Homebridge SmartThings/legacy-AC integration with OAuth token persistence and local TLS device control.
Rationale
Direct source inspection found no install-time execution, exfiltration, remote payload loading, persistence outside documented Homebridge state, or destructive behavior. The flagged new LegacyAC functionality is device-control timing plus an explicitly configured local state export, not an attack chain.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/api/LegacyACClient.jslib/auth/OAuthServer.jslib/accessories/LegacyAC.jscert/cert.pem
Network endpoints3
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorize
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- `cert/cert.pem` embeds a private key, but source uses it only as default TLS client credentials for configured legacy AC access.
- `lib/accessories/LegacyAC.js` can write an opt-in `stateDumpFile`, a user-configured local state export.
Evidence against
- `package.json` has no preinstall/install/postinstall or executable hook.
- `index.js` registers a Homebridge platform and starts runtime work only after Homebridge lifecycle events.
- `lib/api/SmartThingsClient.js` sends OAuth/device traffic only to `api.smartthings.com` and stores OAuth tokens in Homebridge's persist path with mode 0600.
- `lib/api/LegacyACClient.js` uses TLS only to the configured local AC IP; no shell, eval, dynamic loading, or payload execution was found.
- `lib/auth/OAuthServer.js` only provides the documented OAuth callback listener on port 8999.
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcecert/cert.pemView file
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
lib/accessories/LegacyAC.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = homebridge-smartthings-km81@1.8.19
matchedIdentity = npm:[redacted]:1.8.19
similarity = 0.714
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/accessories/LegacyAC.jsView on unpkgFindings
2 Critical1 High1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
HighPrevious Version Dangerous Deltalib/accessories/LegacyAC.js
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings