AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malware was found, but runtime setup creates an enabled ioBroker JavaScript helper that exposes Blink video/live-view functionality over a local HTTP server. The risk is an unauthenticated auxiliary server plus shell/process use in a package-aligned feature.
Decision evidence
public snapshot- main.js creates/updates script.js.common.blink-video-url-server from lib/blink-video-url-server.json on adapter ready.
- lib/blink-video-url-server.json template is enabled:true and starts an unauthenticated HTTP server on port 8085.
- The installed script can read adapter credentials via getObject/CLI fallback and can exec iobroker object get.
- LiveView paths spawn package helpers/ffmpeg and serve files from /opt/iobroker/iobroker-data/blink and /tmp/blink_hls.
- lib/immi-live-hls.js spawns ffmpeg and opens an HLS HTTP server; TLS target comes from Blink session data.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Network use in lib/blink-api.js targets Blink/OAuth hosts api.oauth.blink.com and rest-prod.immedia-semi.com for the advertised adapter purpose.
- Credentials and PIN are ioBroker adapter config fields, with password/pin marked encryptedNative/protectedNative in io-package.json.
- Debug logging attempts to redact password, token, PIN, authorization and cookie fields.
- No code found harvesting unrelated env/files, persistence outside ioBroker objects, dependency confusion, or AI-agent control-surface writes.
Source & flagged code
4 flagged · loading sourcePackage contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9