AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an ioBroker visualization adapter with runtime dashboard, proxy, calendar, timer, file-picker, and admin-control features that are package-aligned and user/config driven.
Static reason
No blocking static signals were detected.
Trigger
ioBroker adapter runtime or explicit frontend/admin message actions
Impact
No evidence of unauthorized install-time execution, exfiltration, persistence, destructive behavior, or agent control hijack.
Mechanism
dashboard server, user-configured fetch/proxy, read-only configured file roots, ioBroker object/state management
Rationale
Source inspection shows risky primitives only in expected ioBroker dashboard/runtime functionality and explicit admin/user actions, not an unconsented malicious chain. No lifecycle hooks, payload staging, credential theft, remote code execution at install/import, or AI-agent control-surface mutation were found.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.jsonadmin/jsonConfig.json
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; main is main.js.
- main.js runtime network is dashboard-aligned: calendar fetch, HTTP/WS proxy, socket backend proxy.
- main.js filesystem access serves bundled www assets and read-only /fs routes limited to configured fsRoots.
- main.js command-like actions are explicit ioBroker RPCs for adapter restart/upgrade and script enable toggles.
- lib/webExtension.js registers proxy routes for ioBroker web extension; no import/install-time mutation or exfiltration found.
- No child_process, eval/Function, native binary loading, credential harvesting, or AI-agent config writes found.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings