AI Security Review
scanned 7d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. Residual risk is an auto-enabled ioBroker JavaScript helper and local HTTP/video tooling created at adapter runtime.
Decision evidence
public snapshot- main.js auto-creates/updates ioBroker script object script.js.common.blink-video-url-server from bundled source.
- lib/blink-video-url-server.json template is enabled:true and runs a local HTTP server on port 8085.
- Bundled helper script can read Blink adapter credentials and use exec fallback for iobroker object get.
- main.js and lib/immi-live-hls.js spawn ffmpeg for live/HLS streaming.
- package.json has no npm lifecycle hooks or bin entrypoints.
- Network code is Blink/ioBroker aligned: OAuth, REST API, live view, local MJPEG/HLS servers.
- Secrets are used for Blink login and debug paths redact tokens/passwords in inspected code.
- No evidence of credential exfiltration, destructive actions, persistence outside ioBroker objects, or AI-agent control-surface writes.
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/blink-api.jsView on unpkg