registry  /  iobroker.blink  /  0.0.27

iobroker.blink@0.0.27

adapter for amazon blink system and ioBroker

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. Residual risk is an auto-enabled ioBroker JavaScript helper and local HTTP/video tooling created at adapter runtime.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
ioBroker adapter runtime onReady, plus user live/grid requests
Impact
Local HTTP exposure and child process use for video conversion, but no confirmed exfiltration or malicious persistence
Mechanism
package-aligned ioBroker helper script installation and Blink live/video streaming
Policy narrative
At runtime the adapter installs an enabled ioBroker JavaScript helper that serves a Blink camera grid and can start LiveView/HLS helpers using Blink credentials from the adapter configuration. The behavior is product-aligned for an ioBroker Blink camera adapter, but it expands runtime capability with an enabled script object, local HTTP server, credential access, and ffmpeg/node child processes.
Rationale
Source inspection supports a warn-level platform-extension/lifecycle risk, not malware: the dangerous primitives are tied to Blink camera streaming and ioBroker integration, with no unconsented npm install hook, exfiltration, destructive behavior, or foreign AI-agent mutation. The auto-enabled helper script and child-process/local-server capability are still significant enough to avoid marking fully clean.
Evidence
package.jsonmain.jslib/blink-video-url-server.jsonlib/blink-api.jslib/immi-live-hls.jslib/blink-liveview-iobroker.jslib/mjpeg-server.jsio-package.json/tmp/blink_session_cache/tmp/blink_hls/tmp/blink_liveview_session.json
Network endpoints4
api.oauth.blink.comrest-prod.immedia-semi.com<host>:8085/gridcdnjs.cloudflare.com/ajax/libs/hls.js/1.5.20/hls.min.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • main.js auto-creates/updates ioBroker script object script.js.common.blink-video-url-server from bundled source.
  • lib/blink-video-url-server.json template is enabled:true and runs a local HTTP server on port 8085.
  • Bundled helper script can read Blink adapter credentials and use exec fallback for iobroker object get.
  • main.js and lib/immi-live-hls.js spawn ffmpeg for live/HLS streaming.
Evidence against
  • package.json has no npm lifecycle hooks or bin entrypoints.
  • Network code is Blink/ioBroker aligned: OAuth, REST API, live view, local MJPEG/HLS servers.
  • Secrets are used for Blink login and debug paths redact tokens/passwords in inspected code.
  • No evidence of credential exfiltration, destructive actions, persistence outside ioBroker objects, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 232 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

5 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9
lib/blink-api.jsView file
matchType = previous_version_dangerous_delta matchedPackage = iobroker.blink@0.0.26 matchedIdentity = npm:aW9icm9rZXIuYmxpbms:0.0.26 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/blink-api.jsView on unpkg

Findings

3 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
HighPrevious Version Dangerous Deltalib/blink-api.js
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings