registry  /  usrcp-google-calendar  /  0.2.2

usrcp-google-calendar@0.2.2

Google Calendar capture adapter for USRCP - polls the configured user's primary calendar for past events they attended and appends them to the local ledger

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Google Calendar adapter that reads user-configured calendar data and writes local USRCP ledger events; the install hook only rebuilds a native sqlite dependency.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; runtime behavior requires invoking usrcp-google-calendar or setup flow
Impact
Reads configured Google Calendar events and stores them locally; no source evidence of exfiltration or unauthorized persistence
Mechanism
package-aligned calendar polling and local ledger capture
Rationale
Static source inspection shows a package-aligned adapter with a noisy but explainable postinstall rebuild and runtime Google Calendar API access using user-provided OAuth credentials. There is no evidence of unconsented install-time agent control mutation, credential exfiltration, remote code execution, destructive behavior, or persistence beyond local adapter config/cursor storage.
Evidence
package.jsondist/index.jsdist/reader.jsdist/capture.jsdist/config.jsdist/setup.jsREADME.mdnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/google-calendar-config.json
Network endpoints3
www.googleapis.com/auth/calendar.readonlyconsole.cloud.google.comdevelopers.google.com/oauthplayground

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json postinstall deletes better-sqlite3 build dirs under node_modules and runs npm rebuild better-sqlite3
  • dist/index.js has user-invoked --reset-config execSync("usrcp setup --adapter=google-calendar")
  • dist/setup.js collects OAuth client secret and refresh token for Google Calendar setup
Evidence against
  • package.json lifecycle hook is limited to rebuilding native better-sqlite3 dependency, no foreign agent/control-surface writes
  • dist/index.js main/bin polls Google Calendar only after runtime invocation and local config preflight
  • dist/reader.js uses google-auth-library and @googleapis/calendar to read primary calendar events
  • dist/capture.js writes normalized calendar event metadata to local USRCP ledger via appendEvent
  • dist/config.js stores adapter config through usrcp-adapter-kit with secret fields and cursor field
  • rg found no eval/vm/Function, remote code loading, credential exfiltration, persistence, or AI-agent config mutation
Behavioral surface
Source
ChildProcessCryptoEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 31.1 KB of source, external domains: www.googleapis.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowUrl Strings