AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an ioBroker visualization adapter with runtime dashboard serving, user-configured proxy/calendar fetch features, whitelisted file browsing, and admin-triggered adapter controls.
Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime after installation/configuration, plus explicit frontend/admin actions
Impact
Expected dashboard, automation, and adapter-management behavior; no hidden install-time mutation or exfiltration found
Mechanism
dashboard HTTP server, runtime proxy/fetch, ioBroker object/state management
Rationale
Source inspection found runtime network and administrative primitives, but they are package-aligned dashboard/ioBroker features and not install-time, hidden, or tied to credential harvesting or exfiltration. No concrete malicious chain remains after inspecting manifest, entrypoint, proxy/file routes, message handlers, and hinted bundled assets.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.jsonadmin/jsonConfig.jsonwww/assets/AdminCssJs-Cofo2jyH.jswww//opt/iobroker/iobroker-data/files
Network endpoints6
localhost127.0.0.1github.com/hdering/ioBroker.aura/issueshdering.github.io/ioBroker.aura/fonts.googleapis.com/css2?family=Inter:wght@400;700&display=swapcdn.jsdelivr.net/npm/dayjs@1/dayjs.min.js
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- main.js exposes user/admin-invoked HTTP proxy and WebSocket proxy routes for configured dashboard embedding.
- main.js onMessage can restart/upgrade adapters via ioBroker host cmdExec when frontend sends explicit admin commands.
- main.js provides file read/list endpoints under configured fsRoots, guarded by resolveSafePath whitelist.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks and main is main.js.
- main.js network fetches are runtime features: calendar.request user URL, /proxy url parameter, and local web/socketio backend proxying.
- No child_process, eval/vm/Function, native binary loading, credential harvesting, or hardcoded exfiltration endpoint found in inspected source.
- Filesystem operations are reads of packaged www assets or configured fsRoots; no arbitrary write/dropper behavior observed.
- io-package.json describes a daemon visualization adapter with localLinks matching the HTTP server behavior.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings