AI Security Review
scanned 3h ago · by lpm-firewall-aiAt runtime, the plugin starts an unauthenticated HTTP server on port 8999 for OAuth/webhook handling. Any POST carrying a SmartThings-shaped confirmation object can make it issue an outbound HTTPS request to an attacker-selected URL.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A network client sends a POST request to the running OAuth server.
Impact
An attacker able to reach port 8999 may use the Homebridge host for HTTPS requests to reachable destinations.
Mechanism
Unauthenticated webhook confirmation URL fetch (SSRF).
Rationale
The package is not malicious by source inspection, but its unauthenticated webhook confirmation fetch creates a concrete runtime SSRF risk. The bundled TLS key and disabled verification are security concerns aligned with its legacy-device protocol, not evidence of an attack chain.
Evidence
package.jsonindex.jslib/auth/OAuthServer.jslib/api/SmartThingsClient.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jscert/cert.pem
Network endpoints3
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorize
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- lib/auth/OAuthServer.js accepts any POST confirmationUrl and calls https.get on it.
- OAuth server listens on port 8999 without authentication or source validation.
- cert/cert.pem bundles a private key and client certificate material.
- lib/api/LegacyACClient.js disables TLS certificate verification for legacy AC traffic.
Evidence against
- package.json has no preinstall, install, postinstall, or bin hooks.
- Network calls otherwise target SmartThings OAuth/API or configured local legacy-AC IPs.
- Token reads/writes stay in Homebridge's persistPath with mode 0600.
- No child_process, eval/vm, dynamic loading, environment harvesting, or AI-agent control-surface writes found.
- LegacyAC.js implements device-control and state logic; the flagged new file is package-aligned.
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcecert/cert.pemView file
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
5patternName = private_key_rsa
severity = critical
line = 5
matchedText = -----BEG...----
Critical
lib/accessories/LegacyAC.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = homebridge-smartthings-km81@1.8.23
matchedIdentity = npm:[redacted]:1.8.23
similarity = 0.571
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/accessories/LegacyAC.jsView on unpkgFindings
2 Critical1 High1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
HighPrevious Version Dangerous Deltalib/accessories/LegacyAC.js
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings