registry  /  @rawdash/connector-firebase-crashlytics  /  0.29.0

@rawdash/connector-firebase-crashlytics@0.29.0

Rawdash connector for Firebase Crashlytics - syncs daily crash counts, crash-free user rate, and top issues from the Crashlytics -> BigQuery export

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is an explicit connector sync that exchanges configured Google credentials for an OAuth token, queries BigQuery Crashlytics exports, and stores metrics/entities via Rawdash storage.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/configures connector and invokes Rawdash sync
Impact
Reads configured Firebase Crashlytics BigQuery export data into Rawdash storage
Mechanism
Google OAuth token exchange plus BigQuery read queries
Rationale
The scanner secret hit is from schema/docs/code handling user-provided Google service account credentials, not an embedded credential or exfiltration path. The package has no lifecycle execution or persistence and its runtime network access is consistent with the declared Firebase Crashlytics BigQuery connector purpose.
Evidence
package.jsondist/index.jsdist/index.d.tsREADME.md
Network endpoints3
oauth2.googleapis.com/tokenbigquery.googleapis.com/bigquery/v2www.googleapis.com/auth/bigquery.readonly

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js handles user-supplied Google service account/private key material to mint OAuth tokens.
  • dist/index.js performs runtime network calls to Google OAuth and BigQuery APIs.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts or bin entrypoint.
  • dist/index.js exports a Rawdash Firebase Crashlytics connector; no import-time execution beyond definitions.
  • Network endpoints are package-aligned: OAuth token exchange and BigQuery Crashlytics export queries.
  • No child_process, eval/Function, dynamic require/import, filesystem writes, persistence, or AI-agent control-surface writes found.
  • README.md documents the same serviceAccountJson secret and BigQuery Crashlytics workflow.
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 29.6 KB of source, external domains: bigquery.googleapis.com, firebase.google.com, oauth2.googleapis.com, rawdash.dev, www.googleapis.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
30patternName = private_key_rsa severity = critical line = 30 matchedText = const pe..."");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L30
30patternName = private_key_rsa severity = critical line = 30 matchedText = const pe..."");
Critical
Secret Pattern

RSA private key in dist/index.js

dist/index.jsView on unpkg · L30

Findings

2 Critical3 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings