registry  /  iobroker.blink  /  0.0.26

iobroker.blink@0.0.26

adapter for amazon blink system and ioBroker

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The main residual risk is runtime creation of an enabled ioBroker JavaScript helper script that exposes local camera/video endpoints and can launch packaged LiveView helpers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
ioBroker adapter runtime onReady and user LiveView/server requests
Impact
Warn-level platform extension risk; no evidence of exfiltration or unrelated persistence
Mechanism
package-aligned ioBroker helper script installation and Blink camera streaming
Attack narrative
At adapter startup, main.js installs or updates an ioBroker JavaScript helper script from lib/blink-video-url-server.json. That helper runs a local web server for Blink camera grids and LiveView, and on LiveView requests invokes packaged helper scripts and ffmpeg to create HLS streams. This is aligned with the adapter’s documented camera-streaming function, but it is a persistent enabled script in another ioBroker namespace, so it merits warning rather than a clean verdict.
Rationale
Static inspection found package-aligned Blink API, snapshot, notification, MJPEG/HLS, and LiveView functionality, with no install-time malware, credential exfiltration, remote code execution from untrusted sources, or AI-agent hijack. The automatic enabled foreign ioBroker script creation is a real platform-extension lifecycle risk, so downgrade to warn instead of publish blocking.
Evidence
package.jsonmain.jslib/blink-video-url-server.jsonlib/immi-live-hls.jslib/blink-liveview-iobroker.jslib/blink-api.jslib/mjpeg-server.jsio-package.jsonscript.js.common.blink-video-url-server/tmp/blink_debug.log/tmp/blink_liveview_session.json/tmp/blink_liveview_iobroker_debug.log/tmp/blink_hls/tmp/blink_session_cache/opt/iobroker/iobroker-data/blink
Network endpoints8
api.oauth.blink.comapi.oauth.blink.comrest-prod.immedia-semi.comimmis://<session-host>:443cdnjs.cloudflare.com/ajax/libs/hls.js/1.5.20/hls.min.js<host>:8085<PI-IP>:8099<host>:8089

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • main.js onReady calls installBlinkVideoUrlServerScript before polling.
  • main.js creates/updates foreign ioBroker script object script.js.common.blink-video-url-server.
  • lib/blink-video-url-server.json template is enabled and contains HTTP server plus exec-based LiveView helpers.
  • lib/immi-live-hls.js spawns ffmpeg, opens an HLS server, and connects to Blink IMMI TLS hosts from session data.
Evidence against
  • package.json has no npm lifecycle hooks or bin entries.
  • Blink API network use is package-aligned for an ioBroker Blink camera adapter.
  • blink-api.js masks passwords, PINs, tokens and auth headers in debug logging.
  • Child process use is limited to ffmpeg/node LiveView helpers, not arbitrary remote code.
  • No credential harvesting, AI-agent control-surface writes, dependency confusion, destructive behavior, or reviewer prompt injection found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 232 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

5 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9
lib/immi-live-hls.jsView file
matchType = previous_version_dangerous_delta matchedPackage = iobroker.blink@0.0.25 matchedIdentity = npm:aW9icm9rZXIuYmxpbms:0.0.25 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/immi-live-hls.jsView on unpkg

Findings

3 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
HighPrevious Version Dangerous Deltalib/immi-live-hls.js
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings