AI Security Review
scanned 2h ago · by lpm-firewall-aiA Homebridge runtime initialization logs a configured credential to the platform debug logger. No install-time execution, foreign control-surface mutation, or external credential exfiltration is established.
Static reason
No blocking static signals were detected.
Trigger
Homebridge loads and initializes the configured Teslemetry platform.
Impact
The Teslemetry token may be exposed to users or systems able to read Homebridge debug logs.
Mechanism
Sensitive access-token logging during platform construction.
Rationale
The package is not malicious by source behavior, but it has a concrete credential-exposure flaw through debug logging. Flag as warn until the token logging is removed.
Evidence
package.jsondist/index.jsdist/platform.jsdist/vehicle.jsdist/energy.jsdist/vehicle-services/dist/energy-services/publish.shrebase.shconfig.schema.jsonREADME.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/platform.js:28` logs the configured Teslemetry access token during platform initialization.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook runs for consumers.
- `dist/index.js` only registers the Homebridge platform.
- `dist/platform.js` uses `tesla-fleet-api` for configured vehicle/energy discovery.
- Runtime scan found no child-process, eval, dynamic loading, filesystem harvesting, or arbitrary network code.
- Vehicle and energy mutations are bound to explicit Homebridge characteristic `onSet` handlers.
Behavioral surface
Source & flagged code
1 flagged · loading sourcepublish.shView file
•path = publish.sh
kind = build_helper
sizeBytes = 116
magicHex = [redacted]
Medium
Findings
1 Medium2 Low
MediumShips Build Helperpublish.sh
LowNon Install Lifecycle Scripts
LowScripts Present