registry  /  homebridge-smartthings-km81  /  1.8.23

homebridge-smartthings-km81@1.8.23

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network behavior is limited to SmartThings OAuth/API requests and TLS control of a user-configured legacy AC; local writes are token persistence and an opt-in state dump.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Homebridge loads the configured platform; OAuth listener starts only when SmartThings authentication is needed.
Impact
Controls configured appliances and persists OAuth credentials/state locally as expected for the plugin.
Mechanism
Homebridge SmartThings/legacy-AC integration with OAuth token persistence and local TLS device control.
Rationale
Direct source inspection found no install-time execution, exfiltration, remote payload loading, persistence outside documented Homebridge state, or destructive behavior. The flagged new LegacyAC functionality is device-control timing plus an explicitly configured local state export, not an attack chain.
Evidence
package.jsonindex.jslib/api/SmartThingsClient.jslib/api/LegacyACClient.jslib/auth/OAuthServer.jslib/accessories/LegacyAC.jscert/cert.pem
Network endpoints3
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorize

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `cert/cert.pem` embeds a private key, but source uses it only as default TLS client credentials for configured legacy AC access.
  • `lib/accessories/LegacyAC.js` can write an opt-in `stateDumpFile`, a user-configured local state export.
Evidence against
  • `package.json` has no preinstall/install/postinstall or executable hook.
  • `index.js` registers a Homebridge platform and starts runtime work only after Homebridge lifecycle events.
  • `lib/api/SmartThingsClient.js` sends OAuth/device traffic only to `api.smartthings.com` and stores OAuth tokens in Homebridge's persist path with mode 0600.
  • `lib/api/LegacyACClient.js` uses TLS only to the configured local AC IP; no shell, eval, dynamic loading, or payload execution was found.
  • `lib/auth/OAuthServer.js` only provides the documented OAuth callback listener on port 8999.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 126 KB of source, external domains: api.smartthings.com

Source & flagged code

3 flagged · loading source
cert/cert.pemView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

cert/cert.pemView on unpkg · L5
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in cert/cert.pem

cert/cert.pemView on unpkg · L5
lib/accessories/LegacyAC.jsView file
matchType = previous_version_dangerous_delta matchedPackage = homebridge-smartthings-km81@1.8.19 matchedIdentity = npm:[redacted]:1.8.19 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/accessories/LegacyAC.jsView on unpkg

Findings

2 Critical1 High1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
HighPrevious Version Dangerous Deltalib/accessories/LegacyAC.js
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings