OnAir+

Turn OnAir into a full broadcast studio. OnAir+ adds a built-in per-user RTMP ingest (self-hosted or managed) so members go live straight from OBS — no YouTube/Twitch account neede...

Turn OnAir into a full broadcast studio. OnAir+ adds a built-in per-user RTMP ingest (self-hosted or managed) so members go live straight from OBS — no YouTube/Twitch account needed — with low-latency HLS playback in the forum. Plus multistream relaying to YouTube/Twitch, automatic VOD recordings, real-time live chat, follows with go-live alerts, scheduled streams with reminders, concurrent-viewer counts, and a polished creator studio. Requires the free OnAir extension.

AI security review

✓

Reviewed safe · 90/100

A well-structured premium live-streaming extension. Routes use proper authentication/authorization, machine webhooks are guarded by a constant-time shared-secret check, and inputs are validated. No RCE, SQLi, SSRF, hardcoded credentials, or data exfiltration found.

low · Restream/recording URLs rendered client-side — RestreamTarget.rtmp_url/stream_key and Recording.url are user-supplied and returned via JSON; safety depends on the (truncated) studio/vods JS escaping them. forum.js itself escapes chat output correctly via esc().
low · Webhook secret returned in admin settings JSON — GET /admin/ext/onair-plus/settings returns webhook_secret in plaintext. Restricted to admin middleware, so low risk, but exposes the machine secret to any admin session/CSRF-readable context.
low · Guest viewer fingerprinting — Heartbeat builds a guest key from sha1(ip+userAgent). Benign presence counting, not tracking/exfil, but noted for completeness.
low · VOD file unlink within fixed root — Recording delete unlinks files under /var/recordings using realpath() + str_starts_with prefix check and a /vod/ path gate. Appears properly constrained to the recordings root; owner/admin authorization enforced.

Automated review of v1.1.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.