registry  /  iobroker.aura  /  0.17.5

iobroker.aura@0.17.5

Modern visualization dashboard for ioBroker

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network and proxy features are dashboard/calendar functionality triggered by ioBroker users, not install-time mutation or credential exfiltration.

Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime and frontend user actions
Impact
User-configured dashboard can fetch/proxy URLs and manage ioBroker visualization states; no source-grounded malicious impact established.
Mechanism
local dashboard server, proxy, calendar fetch relay, ioBroker state/object management
Rationale
Static inspection shows an ioBroker visualization adapter with expected runtime HTTP serving, proxying, calendar fetch, filesystem browsing under configured roots, and ioBroker object/state operations. These are package-aligned capabilities with no install-time execution, credential theft, remote payload execution, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonio-package.jsonmain.jslib/webExtension.jswww/assets/MapWidget-tSO3X50v.jswww/assets/index-komy5wDL.js
Network endpoints8
/proxy?url=/proxyws?url=/aura/proxy?url=/aura/proxyws?url=photon.komoot.io/api/{s}.tile.openstreetmap.org/{z}/{x}/{y}.pngserver.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}{s}.tile.opentopomap.org/{z}/{x}/{y}.png

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • main.js exposes user-configured HTTP/WS proxy and calendar URL fetch endpoints at runtime.
  • main.js has adapter RPCs that can restart/upgrade ioBroker adapters via sendToHost when invoked from frontend.
  • main.js provides /fs/read and /fs/list for configured fsRoots, guarded by path whitelist and read-only routes.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks or bin entries.
  • main.js and lib/webExtension.js network behavior is aligned with an ioBroker visualization dashboard/proxy/calendar adapter.
  • No child_process, eval, credential harvesting, persistence outside ioBroker objects, or exfiltration endpoint found in reviewed source.
  • Filesystem access is constrained to configured fsRoots and static www assets; writes are ioBroker object/state/meta operations.
  • Bundled www/assets dynamic imports and React/ECharts code appear to be normal built frontend assets.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 4.03 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

Source & flagged code

1 flagged · loading source
www/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings