Let’s look at this like a security engineer.
risk = likelihood * impact
What’s the likelihood that someone would create some openHAB addon that includes malicious code? Well, the population of openHAB users is in the thousands, not the millions. It’s a really small target. For the amount of effort required to successfully do something malicious in an openHAB binding the time would be much better spent using that effort to go after something with more users, like a popular IP camera or the like.
And this is thinking about the “official” openHAB addons. You are talking about some random addon on Github. Something like that may have at most dozens of users.
I’m not saying it’s impossible for someone to do something malicious, but it is a really low likelihood. It’s just not worth the effort. So let’s say that the likelihood is around 10%, which I honestly think is too high but it’s a nice round number.
What’s the impact? That depends on how you have openHAB installed, what it can see, etc.
- Making your OH part of a botnet: impact to you is pretty low, let’s say 5 out of 100
- Making your OH machine mine bitcoin: impact to you is pretty low, your machine overheats or becomes unresponsive at which point you probably will start from scratch, let’s say 20 out of 100
- Something worse: it’s hard to guess without specifics, lets say the impact is 80 out of 100 which would be something like identity theft (100 would be loss of life)
So at worse we are looking at a risk of 0.5 to 10 out of 100. This is really low.
So what can you do to mitigate the risks?
- put in place firewall rules to limit what your openHAB can talk to (block botnet)
- monitor your openHAB’s resource utilization (detect cryptomining)
- isolate your OH and home automation from your other machines where sensitive information may live.
Let’s say you implement those mitigations, Thumb in the air I’d say that the first one completely mitigates the botnet risk, the second one mitigates the cryptomining by 90%, and the third one mitigates the “Something worse” by 90%. So with these mitigations in place we bring the risk down to 0 or 1 out of 100.
That’s really low risk.
But honestly, I wouldn’t bother with these mitigations because the original risks were really low to begin with.
But to answer your specific question, no, what sort of checking do you think is possible? openHAB didn’t write the code. The code has never been reviewed by us. It isn’t owned by us and it’s never been submitted to the project. We have no insight into it.
I’d say go ahead and try it. If you are still worried, put in place some mitigations and then try it. The risks are very low.