registry  /  samsung-tv-remote  /  3.0.7

samsung-tv-remote@3.0.7

Remote client for Samsung SmartTV starting from 2016

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A command-injection vulnerability exists in the explicit `wakeTV()` path. No install-time execution, credential harvesting, or external exfiltration was found.

Static reason
No blocking static signals were detected.
Trigger
A consumer calls `wakeTV()` with an attacker-controlled `ip` option or device IP.
Impact
Arbitrary commands may run with the invoking user's OS permissions.
Mechanism
Shell interpolation of the TV IP in `child_process.exec`.
Rationale
Source inspection found no malicious install-time or covert exfiltration behavior, but it did find a concrete caller-reachable shell command injection in `wakeTV()`. This warrants a warning rather than a publication block for intentional malware.
Evidence
package.jsonbin/samsung-tv-remotecli.cjsremote-C-oMOZhp.cjsREADME.mdindex.cjs
Network endpoints1
239.255.255.250:1900

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `remote-C-oMOZhp.cjs` passes `options.ip` into a shell `ping` command via `child_process.exec`.
  • `wakeTV()` invokes that shell command before sending Wake-on-LAN packets.
  • The constructor accepts a caller-supplied IP without validation or shell-safe argument handling.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare lifecycle scripts.
  • Network behavior is aligned with Samsung TV discovery, control WebSockets, and Wake-on-LAN.
  • Cache writes retain the selected TV and its TV-issued app token locally; no exfiltration path was found.
  • CLI execution requires explicit user invocation; importing `index.*` only exports APIs.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 49.0 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

5 Medium1 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowFilesystem