registry  /  iobroker.aura  /  0.22.5

iobroker.aura@0.22.5

Modern visualization dashboard for ioBroker

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime networking is dashboard functionality: a user-facing iframe proxy and calendar relay.

Static reason
No blocking static signals were detected.
Trigger
Starting the ioBroker adapter, then using its dashboard proxy or writing a calendar request state.
Impact
Can reach user-supplied dashboard/calendar URLs, but source shows no package-directed exfiltration, payload execution, or persistence.
Mechanism
HTTP(S)/WebSocket proxying and calendar retrieval for configured dashboard content.
Rationale
Source inspection shows a dashboard adapter with documented runtime proxy/calendar features, not covert install-time or package-directed attack behavior. No concrete malicious chain was found.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.jsonREADME.md

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • main.js starts an ioBroker dashboard server and its documented iframe proxy.
    • main.js calendar fetches occur only after writes to calendar.request.
    • lib/webExtension.js proxy accepts only HTTP(S) targets and routes are package-owned.
    • No child-process, shell, eval/vm, credential harvesting, or AI-agent config writes found.
    Behavioral surface
    Source
    ChildProcessEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 42 file(s), 4.15 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

    Source & flagged code

    1 flagged · loading source
    www/assets/echarts-Cv-_nZ52.jsView file
    39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

    Findings

    2 Medium7 Low
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvalwww/assets/echarts-Cv-_nZ52.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings