registry  /  iobroker.blink  /  0.0.22

iobroker.blink@0.0.22

adapter for amazon blink system and ioBroker

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an ioBroker adapter that logs into Blink, polls camera state, downloads snapshots/videos, and optionally exposes local MJPEG/HLS viewing helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
ioBroker adapter runtime startup and user camera/live-view commands
Impact
Legitimate camera integration; local HTTP helper exposure is product functionality but not evidence of malware.
Mechanism
Blink cloud API client plus local media helper servers
Rationale
The risky primitives are source-grounded but align with the adapter's Blink camera, video, and local streaming features, and I found no credential exfiltration, install-time execution, remote payload loading, or destructive behavior. The auto-created enabled ioBroker helper script is a notable product-surface risk, but its code is packaged, Blink-specific, and not a concrete malicious payload.
Evidence
package.jsonmain.jslib/blink-api.jslib/blink-video-url-server.jsonlib/immi-live-hls.jslib/blink-liveview-iobroker.jslib/mjpeg-server.jsio-package.jsonadmin/jsonConfig.json
Network endpoints6
api.oauth.blink.comapi.oauth.blink.comrest-prod.immedia-semi.comrest-<tier>.immedia-semi.com<host>:8085/grid<PI-IP>:8099/live.m3u8

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • main.js installs an enabled ioBroker JavaScript object from lib/blink-video-url-server.json on adapter startup.
  • lib/blink-video-url-server.json contains an unauthenticated local HTTP server on port 8085 and uses ioBroker exec for helper commands.
  • lib/immi-live-hls.js and main.js spawn ffmpeg for Blink LiveView/HLS streaming.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Network code targets Blink/Amazon camera functionality: api.oauth.blink.com and immedia-semi.com REST hosts.
  • Credentials are read from ioBroker config for Blink login and debug masking redacts passwords/tokens in lib/blink-api.js.
  • Child process use is package-aligned: ffmpeg/HLS helpers and ioBroker CLI fallback, not arbitrary remote command execution.
  • File writes are local cache/media/debug outputs under configured snapshot paths or /tmp, with no external exfiltration sink found.
  • No AI-agent control files, persistence outside ioBroker adapter functionality, destructive payload, or dependency confusion behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 233 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

4 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9

Findings

2 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings