registry  /  iobroker.blink  /  0.0.28

iobroker.blink@0.0.28

adapter for amazon blink system and ioBroker

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware, but runtime auto-installs an enabled ioBroker JavaScript helper outside the adapter namespace. The helper exposes local camera/video HTTP endpoints and can launch packaged LiveView/HLS helpers and ffmpeg.

Static reason
One or more suspicious static signals were detected.
Trigger
ioBroker adapter startup/runtime after user configures the adapter
Impact
Warn-level platform extension lifecycle risk; user environment gains an enabled helper script/server for package-aligned camera streaming.
Mechanism
platform script creation plus local media server and helper process execution
Policy narrative
On adapter startup, main.js installs or updates an enabled ioBroker JavaScript helper script from lib/blink-video-url-server.json. That helper is package-aligned for Blink camera grid/live view, but it runs as a broader ioBroker script with an HTTP server, exec fallback, and helper process launches. No exfiltration or unconsented npm install-time behavior was found.
Rationale
Static inspection does not show malicious npm install/import behavior or credential exfiltration; suspicious scanner primitives are mostly Blink cloud access, local streaming, ffmpeg, and ioBroker helper functionality. The auto-created enabled ioBroker script is a real platform extension lifecycle risk, so warn rather than mark clean.
Evidence
package.jsonio-package.jsonmain.jslib/blink-api.jslib/blink-video-url-server.jsonlib/blink-liveview-iobroker.jslib/immi-live-hls.jslib/mjpeg-server.js/tmp/blink_debug.log/tmp/blink_session_cache/tmp/blink_liveview_session.json/tmp/blink_liveview_iobroker_debug.log/tmp/blink_hls/opt/iobroker/iobroker-data/blinkscript.js.common.blink-video-url-server
Network endpoints7
api.oauth.blink.comrest-prod.immedia-semi.comrest-<tier>.immedia-semi.com<host>:8085<host>:8089<host>:8090<PI-IP>:8099

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • main.js runtime onReady calls installBlinkVideoUrlServerScript() to create/update ioBroker script.js.common.blink-video-url-server
  • lib/blink-video-url-server.json has common.enabled=true and embeds a local HTTP server plus exec-based ioBroker CLI fallback and Node helper launches
  • main.js and lib/immi-live-hls.js spawn ffmpeg for user-triggered/live streaming paths
  • Runtime stores Blink sessions and media under /tmp and configured snapshot directories
Evidence against
  • package.json has no npm lifecycle hooks or bin entry
  • Network calls are aligned with Blink/ioBroker adapter function: OAuth, REST API, local MJPEG/HLS servers
  • Blink credentials are used for login and ioBroker config, with protected/encrypted native fields in io-package.json
  • Debug logging redacts tokens/passwords in lib/blink-api.js
  • No evidence of foreign AI-agent control-surface writes, credential exfiltration, destructive behavior, or remote payload download/execute
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 232 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

4 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9

Findings

2 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings