AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` sends user-supplied push payloads to Expo and FCM endpoints.
- `dist/index.js` signs a configured FCM service-account key to obtain an OAuth token.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- `dist/index.js` exports push functions and makes no network request at import time.
- No filesystem access, shell execution, dynamic code loading, or persistence primitives found.
- The apparent private-key pattern processes caller-provided FCM configuration; no embedded credential is present.
- All observed network calls implement the package's advertised Expo/FCM push functionality.
Behavioral surface
Supply chainMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.50 KB of source, external domains: exp.host, fcm.googleapis.com, oauth2.googleapis.com, www.googleapis.com