registry  /  garmin-connect-nexxt  /  1.6.22

garmin-connect-nexxt@1.6.22

Makes it simple to interface with Garmin Connect to get or set any data point

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network activity is the package's explicit Garmin authentication/API client behavior, and token persistence requires a caller-supplied directory.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer constructs GarminConnect and calls login or explicit token/file methods.
Impact
Supplied Garmin credentials are transmitted to Garmin SSO during login; no unsolicited collection, execution, persistence, or exfiltration was found.
Mechanism
user-invoked Garmin OAuth authentication and API requests
Rationale
The static signals correspond to an explicit Garmin Connect client: credentialed login requests, token handling, and user-invoked exports. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example.js
Network endpoints5
sso.garmin.comconnectapi.garmin.comconnect.garmin.commobile.integration.garmin.com/gcm/androidthegarth.s3.amazonaws.com/oauth_consumer.json

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook; prepack only builds before publishing.
    • dist/index.js only exports library modules and has no import-time network, filesystem, or shell action.
    • dist/common/HttpClient.js sends credentials only during explicit login to Garmin SSO/API endpoints and fetches OAuth consumer data from a fixed S3 URL.
    • dist/garmin/GarminConnect.js reads optional project config and writes OAuth tokens only through explicit exportTokenToFile(dirPath).
    • No child_process, eval, VM, dynamic loader, destructive filesystem, or AI-agent control-surface behavior was found.
    • process.env credential references are confined to user-run example files.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 30 file(s), 129 KB of source, external domains: connect.garmin.com, mobile.integration, thegarth.s3.amazonaws.com

    Source & flagged code

    5 flagged · loading source
    examples/example.jsView file
    8patternName = generic_password severity = medium line = 8 matchedText = password...ord'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    examples/example.jsView on unpkg · L8
    15patternName = generic_password severity = medium line = 15 matchedText = // p...ord'
    Medium
    Secret Pattern

    Hardcoded password in examples/example.js

    examples/example.jsView on unpkg · L15
    dist/common/HttpClient.jsView file
    53exports.HttpClient = void 0; L54: var axios_1 = __importDefault(require("axios")); L55: var lodash_1 = __importDefault(require("lodash")); ... L271: switch (_a.label) { L272: case 0: return [4 /*yield*/, this.client.post(url, data, config)]; L273: case 1: ... L527: .update(base_string) L528: .digest('base64'); L529: }
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/common/HttpClient.jsView on unpkg · L53
    package.jsonView file
    Runtime dependency names matching Node built-ins: crypto
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg
    README.mdView file
    51patternName = generic_password severity = medium line = 51 matchedText = password...ord'
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L51

    Findings

    1 High5 Medium5 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumSecret Patternexamples/example.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret PatternREADME.md
    MediumSecret Patternexamples/example.js
    LowScripts Present
    LowWeak Cryptodist/common/HttpClient.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings