AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is an explicit connector sync that exchanges configured Google credentials for an OAuth token, queries BigQuery Crashlytics exports, and stores metrics/entities via Rawdash storage.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports/configures connector and invokes Rawdash sync
Impact
Reads configured Firebase Crashlytics BigQuery export data into Rawdash storage
Mechanism
Google OAuth token exchange plus BigQuery read queries
Rationale
The scanner secret hit is from schema/docs/code handling user-provided Google service account credentials, not an embedded credential or exfiltration path. The package has no lifecycle execution or persistence and its runtime network access is consistent with the declared Firebase Crashlytics BigQuery connector purpose.
Evidence
package.jsondist/index.jsdist/index.d.tsREADME.md
Network endpoints3
oauth2.googleapis.com/tokenbigquery.googleapis.com/bigquery/v2www.googleapis.com/auth/bigquery.readonly
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js handles user-supplied Google service account/private key material to mint OAuth tokens.
- dist/index.js performs runtime network calls to Google OAuth and BigQuery APIs.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts or bin entrypoint.
- dist/index.js exports a Rawdash Firebase Crashlytics connector; no import-time execution beyond definitions.
- Network endpoints are package-aligned: OAuth token exchange and BigQuery Crashlytics export queries.
- No child_process, eval/Function, dynamic require/import, filesystem writes, persistence, or AI-agent control-surface writes found.
- README.md documents the same serviceAccountJson secret and BigQuery Crashlytics workflow.
Behavioral surface
ChildProcess
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
30patternName = private_key_rsa
severity = critical
line = 30
matchedText = const pe..."");
Critical
30patternName = private_key_rsa
severity = critical
line = 30
matchedText = const pe..."");
Critical
Findings
2 Critical3 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings