AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious payload was found, but the package auto-installs an enabled ioBroker JavaScript server with unauthenticated local HTTP controls for camera LiveView. This is a real exposed control surface rather than install-time malware.
Decision evidence
public snapshot- main.js installs lib/blink-video-url-server.json as enabled ioBroker JavaScript object on adapter ready
- lib/blink-video-url-server.json exposes unauthenticated local HTTP routes such as /live/start and /grid on port 8085
- lib/blink-video-url-server.json uses ioBroker exec to run bundled LiveView/HLS helpers
- lib/immi-live-hls.js spawns ffmpeg and deletes/recreates files under /tmp/blink_hls
- lib/blink-liveview-iobroker.js reads Blink credentials from env or prompts and writes LiveView session JSON under /tmp
- package.json has no install/preinstall/postinstall lifecycle scripts
- Network traffic is Blink/ioBroker feature-aligned: OAuth, Blink REST API, IMMI LiveView, local stream servers
- Secrets in debug paths are masked in lib/blink-api.js before logging
- Child process usage is for ffmpeg/live video bridge and bundled helper scripts, not arbitrary downloaded payloads
- No evidence of credential harvesting beyond configured Blink login or exfiltration to non-Blink endpoints
- No prompt/reviewer manipulation or AI-agent control-surface writes found
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/blink-api.jsView on unpkg