AI Security Review
scanned 2h ago · by lpm-firewall-aiA command-injection vulnerability exists in the explicit `wakeTV()` path. No install-time execution, credential harvesting, or external exfiltration was found.
Static reason
No blocking static signals were detected.
Trigger
A consumer calls `wakeTV()` with an attacker-controlled `ip` option or device IP.
Impact
Arbitrary commands may run with the invoking user's OS permissions.
Mechanism
Shell interpolation of the TV IP in `child_process.exec`.
Rationale
Source inspection found no malicious install-time or covert exfiltration behavior, but it did find a concrete caller-reachable shell command injection in `wakeTV()`. This warrants a warning rather than a publication block for intentional malware.
Evidence
package.jsonbin/samsung-tv-remotecli.cjsremote-C-oMOZhp.cjsREADME.mdindex.cjs
Network endpoints1
239.255.255.250:1900
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `remote-C-oMOZhp.cjs` passes `options.ip` into a shell `ping` command via `child_process.exec`.
- `wakeTV()` invokes that shell command before sending Wake-on-LAN packets.
- The constructor accepts a caller-supplied IP without validation or shell-safe argument handling.
Evidence against
- `package.json` has no preinstall/install/postinstall/prepare lifecycle scripts.
- Network behavior is aligned with Samsung TV discovery, control WebSockets, and Wake-on-LAN.
- Cache writes retain the selected TV and its TV-issued app token locally; no exfiltration path was found.
- CLI execution requires explicit user invocation; importing `index.*` only exports APIs.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
5 Medium1 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowFilesystem