AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The main residual risk is runtime creation of an enabled ioBroker JavaScript helper script that exposes local camera/video endpoints and can launch packaged LiveView helpers.
Decision evidence
public snapshot- main.js onReady calls installBlinkVideoUrlServerScript before polling.
- main.js creates/updates foreign ioBroker script object script.js.common.blink-video-url-server.
- lib/blink-video-url-server.json template is enabled and contains HTTP server plus exec-based LiveView helpers.
- lib/immi-live-hls.js spawns ffmpeg, opens an HLS server, and connects to Blink IMMI TLS hosts from session data.
- package.json has no npm lifecycle hooks or bin entries.
- Blink API network use is package-aligned for an ioBroker Blink camera adapter.
- blink-api.js masks passwords, PINs, tokens and auth headers in debug logging.
- Child process use is limited to ffmpeg/node LiveView helpers, not arbitrary remote code.
- No credential harvesting, AI-agent control-surface writes, dependency confusion, destructive behavior, or reviewer prompt injection found.
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/immi-live-hls.jsView on unpkg