registry  /  garmin-connect-nexxt  /  1.6.24

garmin-connect-nexxt@1.6.24

Makes it simple to interface with Garmin Connect to get or set any data point

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked Garmin OAuth/API client and supports explicit token export.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer constructs `GarminConnect` and calls `login()` or `exportTokenToFile(dirPath)`.
Impact
Credentials are sent to Garmin authentication endpoints for the requested login; token files are written only through an explicit API call.
Mechanism
Garmin SSO/OAuth requests with optional caller-directed token-file export.
Rationale
Static inspection shows expected Garmin authentication, API access, and explicit token persistence rather than covert execution or exfiltration. Scanner signals are explained by normal network/OAuth behavior, examples reading Garmin environment variables, and Node's built-in `crypto` module.
Evidence
package.jsondist/index.jsdist/common/HttpClient.jsdist/garmin/GarminConnect.jsdist/garmin/UrlClass.jsdist/utils.jsexamples/example-image.js
Network endpoints5
thegarth.s3.amazonaws.com/oauth_consumer.jsonsso.garmin.comconnectapi.garmin.comconnect.garmin.commobile.integration.garmin.com

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/common/HttpClient.js` fetches OAuth consumer data from an external S3 URL during user-invoked login.
  • `dist/garmin/GarminConnect.js` can explicitly export OAuth tokens to caller-supplied directories.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `dist/index.js` only exports library modules; no import-time network or command execution was found.
  • No child-process, shell, eval, Function, dynamic import, AI-agent config, or persistence primitive appears in runtime source.
  • Login posts supplied credentials to constructed Garmin SSO endpoints; no unrelated credential-exfiltration endpoint was found.
  • `dist/utils.js` file writes are reached only by the explicit `exportTokenToFile(dirPath)` API.
  • `crypto` use is HMAC-SHA1 for OAuth signing, not payload encryption or obfuscation.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 130 KB of source, external domains: connect.garmin.com, mobile.integration, thegarth.s3.amazonaws.com

Source & flagged code

5 flagged · loading source
examples/example.jsView file
8patternName = generic_password severity = medium line = 8 matchedText = password...ord'
Medium
Secret Pattern

Package contains a possible secret pattern.

examples/example.jsView on unpkg · L8
15patternName = generic_password severity = medium line = 15 matchedText = // p...ord'
Medium
Secret Pattern

Hardcoded password in examples/example.js

examples/example.jsView on unpkg · L15
dist/common/HttpClient.jsView file
53exports.HttpClient = void 0; L54: var axios_1 = __importDefault(require("axios")); L55: var lodash_1 = __importDefault(require("lodash")); ... L275: switch (_a.label) { L276: case 0: return [4 /*yield*/, this.client.post(url, data, config)]; L277: case 1: ... L531: .update(base_string) L532: .digest('base64'); L533: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/common/HttpClient.jsView on unpkg · L53
package.jsonView file
Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
README.mdView file
51patternName = generic_password severity = medium line = 51 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L51

Findings

1 High5 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternexamples/example.js
MediumNetwork
MediumEnvironment Vars
MediumSecret PatternREADME.md
MediumSecret Patternexamples/example.js
LowScripts Present
LowWeak Cryptodist/common/HttpClient.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings