AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` sends caller-provided Expo/FCM push payloads via `fetch`.
- `dist/index.js` creates an OAuth JWT from caller-configured FCM service-account credentials.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- `dist/index.js` exports notification functions; network calls occur only when those functions are invoked.
- No filesystem access, shell/process execution, dynamic code loading, or persistence APIs found.
- No embedded credentials found; the apparent secret signal is the `privateKey` configuration field.
- All observed endpoints are Expo, Firebase Cloud Messaging, or Google OAuth services aligned with push delivery.
Behavioral surface
Supply chainMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.50 KB of source, external domains: exp.host, fcm.googleapis.com, oauth2.googleapis.com, www.googleapis.com