AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. This is a user-invoked Garmin Connect client that authenticates and performs requested Garmin API operations.
Static reason
One or more suspicious static signals were detected.
Trigger
Caller constructs GarminConnect and invokes login or another API method.
Impact
Authenticated Garmin account data and user-selected uploads may be sent to Garmin endpoints as intended; no unrelated exfiltration, persistence, or install-time action was found.
Mechanism
Explicit OAuth authentication and Garmin API requests with optional user-directed token/file handling.
Rationale
Direct source inspection shows a conventional Garmin API client whose network, credential, token, and file operations are reached through explicit user calls. No concrete malicious behavior, install-time execution, broad filesystem harvesting, or unconsented control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example.jsexamples/example-workout.jsexamples/example-gpx-file.js
Network endpoints5
thegarth.s3.amazonaws.com/oauth_consumer.jsonsso.garmin.comconnect.garmin.comconnectapi.garmin.commobile.integration.garmin.com
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- dist/index.js only exports the Garmin client; import-time code only attempts optional garmin.config.json loading.
- dist/common/HttpClient.js sends requests only through explicit login/API methods and contains no eval, child_process, dynamic code loading, or payload execution.
- dist/garmin/GarminConnect.js file reads/writes are explicit token export/import and user-provided activity/photo paths.
- The remote OAuth-consumer JSON is fetched as data, mapped to key/secret fields, and never executed.
- The crypto signal is OAuth 1.0a HMAC-SHA1 signing in dist/common/HttpClient.js, not obfuscated payload handling.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourceexamples/example.jsView file
8patternName = generic_password
severity = medium
line = 8
matchedText = password...ord'
Medium
15patternName = generic_password
severity = medium
line = 15
matchedText = // p...ord'
Medium
dist/common/HttpClient.jsView file
53exports.HttpClient = void 0;
L54: var axios_1 = __importDefault(require("axios"));
L55: var lodash_1 = __importDefault(require("lodash"));
...
L275: switch (_a.label) {
L276: case 0: return [4 /*yield*/, this.client.post(url, data, config)];
L277: case 1:
...
L531: .update(base_string)
L532: .digest('base64');
L533: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/common/HttpClient.jsView on unpkg · L53package.jsonView file
•Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgREADME.mdView file
51patternName = generic_password
severity = medium
line = 51
matchedText = password...ord'
Medium
Findings
1 High5 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternexamples/example.js
MediumNetwork
MediumEnvironment Vars
MediumSecret PatternREADME.md
MediumSecret Patternexamples/example.js
LowScripts Present
LowWeak Cryptodist/common/HttpClient.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings