OnAir

• low · Remote hls.js loaded from CDN — src/Extension.php hlsJs() injects https://cdn.jsdelivr.net/npm/hls.js@1/dist/hls.min.js on HLS watch pages. This only applies to 'rtmp' provider streams whose embed_url is set by a separate OnAir+ add-on (not creatable via this extension's validated go-live, which only allows youtube/twitch). Standard CDN dependency, not malicious, but pins to a floating @1 major and relies on jsdelivr.
• low · embed_url rendered directly for rtmp streams — Stream::embedUrl() returns the raw embed_url for provider 'rtmp', which is rendered as a <video data-src>/HLS source on the watch page. No rtmp stream can be created through the audited code paths (go-live validates platform in:youtube,twitch), so this is only reachable if an add-on or DB writes provider=rtmp. Value is HTML-escaped but not URL-scheme-validated; worth noting if an OnAir+ add-on populates it from untrusted input.
• low · go-live permission vs presence exposure — Presence endpoint /api/ext/onair/live is public (by design) and exposes live members' names, avatars, titles and stream IDs. This is intended functionality (public /live directory). Admin force-end and list routes are correctly gated by web/auth/admin middleware.

Automated review of v2.2.1 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.