registry  /  @rawdash/connector-firebase-crashlytics  /  0.29.1

@rawdash/connector-firebase-crashlytics@0.29.1

Rawdash connector for Firebase Crashlytics - syncs daily crash counts, crash-free user rate, and top issues from the Crashlytics -> BigQuery export

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime sync obtains a Google OAuth token and queries BigQuery for Crashlytics export data only when the Rawdash connector is configured and invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User configures and runs the Rawdash connector sync
Impact
Reads configured Firebase Crashlytics BigQuery export data into Rawdash storage
Mechanism
OAuth token exchange and BigQuery read queries
Rationale
The scanner's secret finding is explained by schema and request construction for user-provided Google credentials, not embedded secrets or exfiltration. Source inspection shows package-aligned Google OAuth/BigQuery access with no lifecycle execution, persistence, shell execution, filesystem mutation, or suspicious endpoints.
Evidence
package.jsondist/index.jsREADME.mddist/index.js.mapdist/index.d.ts
Network endpoints2
oauth2.googleapis.com/tokenbigquery.googleapis.com/bigquery/v2

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoints.
    • dist/index.js only exports a Rawdash connector class and helper functions; no import-time side effects found.
    • Credential fields are user-supplied Google service account or refresh-token material used to request OAuth tokens from Google.
    • Network access is limited to Google OAuth and BigQuery APIs aligned with Firebase Crashlytics BigQuery export.
    • No child_process, eval/Function, dynamic require/import, filesystem writes, persistence, or AI-agent control-surface writes found.
    • README.md documents the same Google BigQuery/Crashlytics connector behavior.
    Behavioral surface
    Source
    ChildProcess
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 29.6 KB of source, external domains: bigquery.googleapis.com, firebase.google.com, oauth2.googleapis.com, rawdash.dev, www.googleapis.com

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    30patternName = private_key_rsa severity = critical line = 30 matchedText = const pe..."");
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/index.jsView on unpkg · L30
    30patternName = private_key_rsa severity = critical line = 30 matchedText = const pe..."");
    Critical
    Secret Pattern

    RSA private key in dist/index.js

    dist/index.jsView on unpkg · L30

    Findings

    2 Critical3 Low
    CriticalCritical Secretdist/index.js
    CriticalSecret Patterndist/index.js
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings