registry  /  iobroker.aura  /  0.15.5

iobroker.aura@0.15.5

Modern visualization dashboard for ioBroker

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime capabilities are an ioBroker dashboard HTTP server with calendar fetching, reverse proxy routes, whitelisted file browsing, timer state writes, and admin-triggered adapter management.

Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime and authenticated/frontend user actions
Impact
Could proxy user-requested URLs or change ioBroker states when configured by users, but no evidence of unconsented install-time execution or exfiltration.
Mechanism
package-aligned dashboard server, proxy, scheduler, and ioBroker object/state operations
Rationale
Source inspection shows a legitimate ioBroker visualization adapter with runtime proxy/admin features that match the package purpose, and no install-time hooks or concrete malicious chain. The risky primitives are user/runtime invoked and constrained by ioBroker configuration or validation rather than stealthy malware behavior.
Evidence
package.jsonio-package.jsonmain.jslib/webExtension.jswww/assets/echarts-Cv-_nZ52.js

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • main.js exposes runtime /proxy and /proxyws to user-supplied http(s)/ws(s) URLs
  • main.js onMessage can send ioBroker host cmdExec for validated upgradeAdapter requests
  • main.js serves whitelisted filesystem roots via /fs/list and /fs/read
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • main.js is the declared entrypoint and implements an ioBroker visualization adapter/server
  • Network code is package-aligned: calendar fetching, web/socket proxying, and dashboard asset serving
  • Filesystem access is read-only route-limited to configured fsRoots; no package install-time file mutation found
  • No credential harvesting, hardcoded exfiltration endpoint, persistence outside ioBroker objects, eval payload, or AI-agent control writes found
  • www/assets dynamic imports/eval-like patterns are bundled React/Vite/ECharts frontend code
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 4.02 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

Source & flagged code

1 flagged · loading source
www/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings