AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `dist/index.js` exports push-notification functions; importing only defines functions/configuration.
- Network calls target Expo, Firebase, Google OAuth, and FCM endpoints for requested push operations.
- FCM credentials are supplied to `configure`; no environment or filesystem harvesting is present.
- No child-process, shell, eval, dynamic loading, filesystem writes, or persistence primitives found.
Behavioral surface
Supply chainMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.50 KB of source, external domains: exp.host, fcm.googleapis.com, oauth2.googleapis.com, www.googleapis.com