registry  /  iobroker.anker-solix  /  0.10.78

iobroker.anker-solix@0.10.78

ioBroker adapter for Anker Solix (based on ha-anker-solix)

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 203 KB of source, external domains: bootstrap.pypa.io

Source & flagged code

6 flagged · loading source
python/solixapi/session.pyView file
920patternName = private_key_rsa severity = critical line = 920 matchedText = "private... "",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

python/solixapi/session.pyView on unpkg · L920
920patternName = private_key_rsa severity = critical line = 920 matchedText = "private... "",
Critical
Secret Pattern

RSA private key in python/solixapi/session.py

python/solixapi/session.pyView on unpkg · L920
tools/pythonInstallEnv.jsView file
4L5: const fs = require("node:fs"); L6:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tools/pythonInstallEnv.jsView on unpkg · L4
tools/install-python.jsView file
7L8: const { spawnSync } = require("node:child_process"); L9: const fs = require("node:fs"); L10: const https = require("node:https"); L11: const path = require("node:path"); ... L15: L16: const adapterRoot = path.join(__dirname, ".."); L17: const requirements = path.join(adapterRoot, "python", "requirements.txt"); ... L51: function venvPython() { L52: if (process.platform === "win32") { L53: return path.join(venvDir, "Scripts", "python.exe"); ... L74: ok: result.status === 0,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

tools/install-python.jsView on unpkg · L7
python/battery_power_pick.pyView file
path = python/battery_power_pick.py kind = build_helper sizeBytes = 10332 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/battery_power_pick.pyView on unpkg
build/lib/pythonBridge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = iobroker.anker-solix@0.10.77 matchedIdentity = npm:aW9icm9rZXIuYW5rZXItc29saXg:0.10.77 similarity = 0.862 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/lib/pythonBridge.jsView on unpkg

Findings

2 Critical2 High4 Medium4 Low
CriticalCritical Secretpython/solixapi/session.py
CriticalSecret Patternpython/solixapi/session.py
HighSandbox Evasion Gated Capabilitytools/install-python.js
HighPrevious Version Dangerous Deltabuild/lib/pythonBridge.js
MediumDynamic Requiretools/pythonInstallEnv.js
MediumNetwork
MediumShips Build Helperpython/battery_power_pick.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings