AI Security Review
scanned 7d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware, but runtime auto-installs an enabled ioBroker JavaScript helper outside the adapter namespace. The helper exposes local camera/video HTTP endpoints and can launch packaged LiveView/HLS helpers and ffmpeg.
Decision evidence
public snapshot- main.js runtime onReady calls installBlinkVideoUrlServerScript() to create/update ioBroker script.js.common.blink-video-url-server
- lib/blink-video-url-server.json has common.enabled=true and embeds a local HTTP server plus exec-based ioBroker CLI fallback and Node helper launches
- main.js and lib/immi-live-hls.js spawn ffmpeg for user-triggered/live streaming paths
- Runtime stores Blink sessions and media under /tmp and configured snapshot directories
- package.json has no npm lifecycle hooks or bin entry
- Network calls are aligned with Blink/ioBroker adapter function: OAuth, REST API, local MJPEG/HLS servers
- Blink credentials are used for login and ioBroker config, with protected/encrypted native fields in io-package.json
- Debug logging redacts tokens/passwords in lib/blink-api.js
- No evidence of foreign AI-agent control-surface writes, credential exfiltration, destructive behavior, or remote payload download/execute
Source & flagged code
4 flagged · loading sourcePackage contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9