registry  /  iobroker.aura  /  0.21.15

iobroker.aura@0.21.15

Modern visualization dashboard for ioBroker

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The adapter starts a configured dashboard server, fetches user-requested calendar URLs, and proxies configured HTTP/WebSocket targets.

Static reason
No blocking static signals were detected.
Trigger
Adapter runtime plus dashboard, calendar, or proxy use.
Impact
No credential harvesting, remote payload execution, destructive action, or stealth persistence established.
Mechanism
Package-aligned HTTP/WebSocket proxy, calendar retrieval, and whitelisted file browsing.
Rationale
Direct source inspection found normal ioBroker dashboard functionality, not a concrete malicious chain. The scanner's dynamic-code hint is attributable to bundled frontend vendor code and not package attack behavior.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.jsonwww/assets/echarts-Cv-_nZ52.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • main.js only executes as the adapter entrypoint.
    • main.js calendar fetch uses a state-supplied URL and caches its response.
    • main.js filesystem routes enforce configured root paths and block escaping symlinks.
    • lib/webExtension.js proxy routes are explicit dashboard features.
    • No source-level child-process, shell, eval, or AI-agent control writes found.
    Behavioral surface
    Source
    ChildProcessEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 41 file(s), 4.13 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

    Source & flagged code

    1 flagged · loading source
    www/assets/echarts-Cv-_nZ52.jsView file
    39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

    Findings

    2 Medium7 Low
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvalwww/assets/echarts-Cv-_nZ52.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings