AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime sync obtains a Google OAuth token and queries BigQuery for Crashlytics export data only when the Rawdash connector is configured and invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
User configures and runs the Rawdash connector sync
Impact
Reads configured Firebase Crashlytics BigQuery export data into Rawdash storage
Mechanism
OAuth token exchange and BigQuery read queries
Rationale
The scanner's secret finding is explained by schema and request construction for user-provided Google credentials, not embedded secrets or exfiltration. Source inspection shows package-aligned Google OAuth/BigQuery access with no lifecycle execution, persistence, shell execution, filesystem mutation, or suspicious endpoints.
Evidence
package.jsondist/index.jsREADME.mddist/index.js.mapdist/index.d.ts
Network endpoints2
oauth2.googleapis.com/tokenbigquery.googleapis.com/bigquery/v2
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoints.
- dist/index.js only exports a Rawdash connector class and helper functions; no import-time side effects found.
- Credential fields are user-supplied Google service account or refresh-token material used to request OAuth tokens from Google.
- Network access is limited to Google OAuth and BigQuery APIs aligned with Firebase Crashlytics BigQuery export.
- No child_process, eval/Function, dynamic require/import, filesystem writes, persistence, or AI-agent control-surface writes found.
- README.md documents the same Google BigQuery/Crashlytics connector behavior.
Behavioral surface
ChildProcess
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
30patternName = private_key_rsa
severity = critical
line = 30
matchedText = const pe..."");
Critical
30patternName = private_key_rsa
severity = critical
line = 30
matchedText = const pe..."");
Critical
Findings
2 Critical3 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings