AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook or bin.
- `dist/index.js` exports push functions without import-time network activity.
- Network calls target Expo/Google FCM endpoints only when send/receipt/topic APIs are invoked.
- FCM credentials are caller-provided through `configure`; no embedded credential was found.
- README `SLACK_SECRET_KEY=SSK123` is a placeholder unrelated to runtime code.
- No filesystem, shell, eval, dynamic-loading, or persistence primitives found.
Behavioral surface
Supply chainMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.50 KB of source, external domains: exp.host, fcm.googleapis.com, oauth2.googleapis.com, www.googleapis.com