AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network activity is the package's explicit Garmin authentication/API client behavior, and token persistence requires a caller-supplied directory.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer constructs GarminConnect and calls login or explicit token/file methods.
Impact
Supplied Garmin credentials are transmitted to Garmin SSO during login; no unsolicited collection, execution, persistence, or exfiltration was found.
Mechanism
user-invoked Garmin OAuth authentication and API requests
Rationale
The static signals correspond to an explicit Garmin Connect client: credentialed login requests, token handling, and user-invoked exports. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example.js
Network endpoints5
sso.garmin.comconnectapi.garmin.comconnect.garmin.commobile.integration.garmin.com/gcm/androidthegarth.s3.amazonaws.com/oauth_consumer.json
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, postinstall, or prepare hook; prepack only builds before publishing.
- dist/index.js only exports library modules and has no import-time network, filesystem, or shell action.
- dist/common/HttpClient.js sends credentials only during explicit login to Garmin SSO/API endpoints and fetches OAuth consumer data from a fixed S3 URL.
- dist/garmin/GarminConnect.js reads optional project config and writes OAuth tokens only through explicit exportTokenToFile(dirPath).
- No child_process, eval, VM, dynamic loader, destructive filesystem, or AI-agent control-surface behavior was found.
- process.env credential references are confined to user-run example files.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourceexamples/example.jsView file
8patternName = generic_password
severity = medium
line = 8
matchedText = password...ord'
Medium
15patternName = generic_password
severity = medium
line = 15
matchedText = // p...ord'
Medium
dist/common/HttpClient.jsView file
53exports.HttpClient = void 0;
L54: var axios_1 = __importDefault(require("axios"));
L55: var lodash_1 = __importDefault(require("lodash"));
...
L271: switch (_a.label) {
L272: case 0: return [4 /*yield*/, this.client.post(url, data, config)];
L273: case 1:
...
L527: .update(base_string)
L528: .digest('base64');
L529: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/common/HttpClient.jsView on unpkg · L53package.jsonView file
•Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgREADME.mdView file
51patternName = generic_password
severity = medium
line = 51
matchedText = password...ord'
Medium
Findings
1 High5 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternexamples/example.js
MediumNetwork
MediumEnvironment Vars
MediumSecret PatternREADME.md
MediumSecret Patternexamples/example.js
LowScripts Present
LowWeak Cryptodist/common/HttpClient.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings