AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network and proxy features are dashboard/calendar functionality triggered by ioBroker users, not install-time mutation or credential exfiltration.
Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime and frontend user actions
Impact
User-configured dashboard can fetch/proxy URLs and manage ioBroker visualization states; no source-grounded malicious impact established.
Mechanism
local dashboard server, proxy, calendar fetch relay, ioBroker state/object management
Rationale
Static inspection shows an ioBroker visualization adapter with expected runtime HTTP serving, proxying, calendar fetch, filesystem browsing under configured roots, and ioBroker object/state operations. These are package-aligned capabilities with no install-time execution, credential theft, remote payload execution, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonio-package.jsonmain.jslib/webExtension.jswww/assets/MapWidget-tSO3X50v.jswww/assets/index-komy5wDL.js
Network endpoints8
/proxy?url=/proxyws?url=/aura/proxy?url=/aura/proxyws?url=photon.komoot.io/api/{s}.tile.openstreetmap.org/{z}/{x}/{y}.pngserver.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}{s}.tile.opentopomap.org/{z}/{x}/{y}.png
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- main.js exposes user-configured HTTP/WS proxy and calendar URL fetch endpoints at runtime.
- main.js has adapter RPCs that can restart/upgrade ioBroker adapters via sendToHost when invoked from frontend.
- main.js provides /fs/read and /fs/list for configured fsRoots, guarded by path whitelist and read-only routes.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entries.
- main.js and lib/webExtension.js network behavior is aligned with an ioBroker visualization dashboard/proxy/calendar adapter.
- No child_process, eval, credential harvesting, persistence outside ioBroker objects, or exfiltration endpoint found in reviewed source.
- Filesystem access is constrained to configured fsRoots and static www assets; writes are ioBroker object/state/meta operations.
- Bundled www/assets dynamic imports and React/ECharts code appear to be normal built frontend assets.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings