AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime network proxying, adapter upgrade, and file browsing are package-aligned ioBroker dashboard/admin features rather than install-time or stealth behavior.
Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime and authenticated/authorized frontend interactions
Impact
No evidence of malicious exfiltration or unauthorized install-time mutation; runtime features may be sensitive if exposed without proper ioBroker access controls.
Mechanism
dashboard HTTP server with proxy, filesystem browse, scheduler, and ioBroker admin RPC helpers
Rationale
Source inspection shows a legitimate ioBroker visualization adapter with no lifecycle hooks, no credential harvesting, and no concrete malicious chain. The risky primitives are runtime, user/admin-facing features constrained by package context and validation.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.jsonadmin/jsonConfig.jsonwww/assets/index-DxRBkfZl.jswww/assets/echarts-Cv-_nZ52.js/opt/iobroker/iobroker-data/files
Network endpoints3
raw.githubusercontent.com/hdering/ioBroker.aura/main/admin/aura.pnggithub.com/hdering/ioBroker.aura.gitgithub.com/hdering/ioBroker.aura/issues
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- main.js exposes runtime /proxy and /proxyws forwarding to user-supplied http(s)/ws(s) URLs.
- main.js onMessage upgradeAdapter sends constrained ioBroker host cmdExec: `upgrade ${name}`.
- main.js /fs routes read configured fsRoots, default /opt/iobroker/iobroker-data/files.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- main.js network code is an ioBroker visualization server: calendar fetch, socket/web proxy, static frontend serving.
- upgradeAdapter validates adapter name with /^[a-z0-9_-]+$/i before cmdExec.
- /fs/read and /fs/list restrict paths to configured roots and reject symlinks outside roots.
- No child_process, eval of fetched code, credential harvesting, persistence, or exfiltration endpoints found.
- Bundled www assets are frontend libraries/application code; echarts dynamic patterns are library code.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings