AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package provides user-invoked HTTP(S)/WebSocket proxying and calendar retrieval for its dashboard features.
Static reason
No blocking static signals were detected.
Trigger
Runtime requests to the dashboard `/proxy` or `/proxyws` routes, or a calendar request state update.
Impact
Can contact configured target URLs as part of dashboard functionality; no covert exfiltration or payload execution is evidenced.
Mechanism
Caller-configured proxying and calendar HTTP retrieval.
Rationale
Reviewed manifest, runtime entrypoint, and extension source show a visualization adapter with explicit proxy/calendar features. Potentially sensitive network primitives are package-aligned and runtime-triggered, with no concrete malicious chain.
Evidence
package.jsonio-package.jsonmain.jslib/webExtension.jswww/
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- `main.js` exposes runtime `/proxy` and `/proxyws` handlers accepting caller-provided HTTP(S)/WS targets.
- `main.js` fetches caller-supplied calendar URLs on a state-change request.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `main.js` is the declared runtime entrypoint and implements an ioBroker dashboard server.
- Proxy and calendar network behavior is user-triggered dashboard functionality, not hidden install/import execution.
- No child-process, shell, eval/vm, native loading, or environment harvesting appears in reviewed source.
- No credential exfiltration, external hard-coded collection endpoint, persistence, or AI-agent control-surface mutation was found.
- Filesystem use in `main.js` serves bundled `www/` assets; adapter writes are ioBroker state/object management.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings