registry  /  garmin-connect-nexxt  /  1.6.23

garmin-connect-nexxt@1.6.23

Makes it simple to interface with Garmin Connect to get or set any data point

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. This is a user-invoked Garmin Connect client that authenticates and performs requested Garmin API operations.

Static reason
One or more suspicious static signals were detected.
Trigger
Caller constructs GarminConnect and invokes login or another API method.
Impact
Authenticated Garmin account data and user-selected uploads may be sent to Garmin endpoints as intended; no unrelated exfiltration, persistence, or install-time action was found.
Mechanism
Explicit OAuth authentication and Garmin API requests with optional user-directed token/file handling.
Rationale
Direct source inspection shows a conventional Garmin API client whose network, credential, token, and file operations are reached through explicit user calls. No concrete malicious behavior, install-time execution, broad filesystem harvesting, or unconsented control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example.jsexamples/example-workout.jsexamples/example-gpx-file.js
Network endpoints5
thegarth.s3.amazonaws.com/oauth_consumer.jsonsso.garmin.comconnect.garmin.comconnectapi.garmin.commobile.integration.garmin.com

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
    • dist/index.js only exports the Garmin client; import-time code only attempts optional garmin.config.json loading.
    • dist/common/HttpClient.js sends requests only through explicit login/API methods and contains no eval, child_process, dynamic code loading, or payload execution.
    • dist/garmin/GarminConnect.js file reads/writes are explicit token export/import and user-provided activity/photo paths.
    • The remote OAuth-consumer JSON is fetched as data, mapped to key/secret fields, and never executed.
    • The crypto signal is OAuth 1.0a HMAC-SHA1 signing in dist/common/HttpClient.js, not obfuscated payload handling.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 30 file(s), 129 KB of source, external domains: connect.garmin.com, mobile.integration, thegarth.s3.amazonaws.com

    Source & flagged code

    5 flagged · loading source
    examples/example.jsView file
    8patternName = generic_password severity = medium line = 8 matchedText = password...ord'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    examples/example.jsView on unpkg · L8
    15patternName = generic_password severity = medium line = 15 matchedText = // p...ord'
    Medium
    Secret Pattern

    Hardcoded password in examples/example.js

    examples/example.jsView on unpkg · L15
    dist/common/HttpClient.jsView file
    53exports.HttpClient = void 0; L54: var axios_1 = __importDefault(require("axios")); L55: var lodash_1 = __importDefault(require("lodash")); ... L275: switch (_a.label) { L276: case 0: return [4 /*yield*/, this.client.post(url, data, config)]; L277: case 1: ... L531: .update(base_string) L532: .digest('base64'); L533: }
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/common/HttpClient.jsView on unpkg · L53
    package.jsonView file
    Runtime dependency names matching Node built-ins: crypto
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg
    README.mdView file
    51patternName = generic_password severity = medium line = 51 matchedText = password...ord'
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L51

    Findings

    1 High5 Medium5 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumSecret Patternexamples/example.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret PatternREADME.md
    MediumSecret Patternexamples/example.js
    LowScripts Present
    LowWeak Cryptodist/common/HttpClient.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings