registry  /  iobroker.aura  /  0.16.0

iobroker.aura@0.16.0

Modern visualization dashboard for ioBroker

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime proxy, calendar fetch, filesystem browsing, and adapter-management RPCs are package-aligned ioBroker dashboard features rather than install-time or hidden behavior.

Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime after user configuration or frontend RPC
Impact
No confirmed credential theft, destructive action, persistence, unauthorized install-time mutation, or exfiltration.
Mechanism
dashboard server with proxy, calendar fetch, read-only file browser, timers, and ioBroker object/state updates
Rationale
Direct inspection found no install-time execution or hidden malicious chain; the suspicious primitives are runtime ioBroker adapter capabilities exposed for configured dashboard functionality. The explicit upgrade/restart commands are user-invoked and constrained by simple identifiers, so they do not establish package malware by themselves.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.json

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • main.js exposes runtime HTTP/WebSocket proxy for user-supplied URLs.
  • main.js onMessage has user-command adapter management actions including restart/upgrade via ioBroker host cmdExec.
  • main.js exposes read-only filesystem browse/read routes constrained to configured fsRoots.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and main is main.js.
  • Network code is tied to ioBroker dashboard features: calendar.request fetch, configured proxy, and local socket backend forwarding.
  • No credential/env harvesting, external exfiltration endpoint, child_process use, eval/vm/Function, native binary loading, or persistence found in reviewed source.
  • Filesystem routes validate paths against configured fsRoots; io-package.json defaults fsAllowWrite to false and inspected routes only list/read.
  • Admin/runtime object mutations are ioBroker adapter state/object management, client/timer/list cleanup, and explicit frontend RPCs.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 4.02 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

Source & flagged code

1 flagged · loading source
www/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings