AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked Garmin OAuth/API client and supports explicit token export.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer constructs `GarminConnect` and calls `login()` or `exportTokenToFile(dirPath)`.
Impact
Credentials are sent to Garmin authentication endpoints for the requested login; token files are written only through an explicit API call.
Mechanism
Garmin SSO/OAuth requests with optional caller-directed token-file export.
Rationale
Static inspection shows expected Garmin authentication, API access, and explicit token persistence rather than covert execution or exfiltration. Scanner signals are explained by normal network/OAuth behavior, examples reading Garmin environment variables, and Node's built-in `crypto` module.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example-image.js
Network endpoints5
thegarth.s3.amazonaws.com/oauth_consumer.jsonsso.garmin.comconnectapi.garmin.comconnect.garmin.commobile.integration.garmin.com
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/common/HttpClient.js` fetches OAuth consumer data from an external S3 URL during user-invoked login.
- `dist/garmin/GarminConnect.js` can explicitly export OAuth tokens to caller-supplied directories.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `dist/index.js` only exports library modules; no import-time network or command execution was found.
- No child-process, shell, eval, Function, dynamic import, AI-agent config, or persistence primitive appears in runtime source.
- Login posts supplied credentials to constructed Garmin SSO endpoints; no unrelated credential-exfiltration endpoint was found.
- `dist/utils.js` file writes are reached only by the explicit `exportTokenToFile(dirPath)` API.
- `crypto` use is HMAC-SHA1 for OAuth signing, not payload encryption or obfuscation.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourceexamples/example.jsView file
8patternName = generic_password
severity = medium
line = 8
matchedText = password...ord'
Medium
15patternName = generic_password
severity = medium
line = 15
matchedText = // p...ord'
Medium
dist/common/HttpClient.jsView file
53exports.HttpClient = void 0;
L54: var axios_1 = __importDefault(require("axios"));
L55: var lodash_1 = __importDefault(require("lodash"));
...
L275: switch (_a.label) {
L276: case 0: return [4 /*yield*/, this.client.post(url, data, config)];
L277: case 1:
...
L531: .update(base_string)
L532: .digest('base64');
L533: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/common/HttpClient.jsView on unpkg · L53package.jsonView file
•Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgREADME.mdView file
51patternName = generic_password
severity = medium
line = 51
matchedText = password...ord'
Medium
Findings
1 High5 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternexamples/example.js
MediumNetwork
MediumEnvironment Vars
MediumSecret PatternREADME.md
MediumSecret Patternexamples/example.js
LowScripts Present
LowWeak Cryptodist/common/HttpClient.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings