registry  /  usrcp-google-calendar  /  0.2.1

usrcp-google-calendar@0.2.1

Google Calendar capture adapter for USRCP - polls the configured user's primary calendar for past events they attended and appends them to the local ledger

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The lifecycle script is risky-looking but limited to deleting better-sqlite3 build directories under node_modules and rebuilding that dependency.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for postinstall; user-run CLI for calendar polling/setup
Impact
Reads configured user's primary Google Calendar events after user-provided OAuth setup and records them locally.
Mechanism
Google Calendar read-only adapter writing local ledger events
Rationale
Source inspection shows a legitimate USRCP Google Calendar adapter with user-invoked OAuth setup, Google Calendar polling, and local ledger writes. The postinstall hook is an install-time primitive but appears package-aligned for rebuilding better-sqlite3 rather than harvesting data or establishing persistence.
Evidence
package.jsondist/index.jsdist/reader.jsdist/setup.jsdist/config.jsdist/capture.jsREADME.mdnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/google-calendar-config.json
Network endpoints3
www.googleapis.com/auth/calendar.readonlyconsole.cloud.google.comdevelopers.google.com/oauthplayground

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall that runs node -e fs.rmSync on better-sqlite3 build dirs then npm rebuild better-sqlite3.
  • dist/index.js imports node:child_process and execSyncs `usrcp setup --adapter=google-calendar` only when user passes --reset-config.
  • dist/setup.js collects OAuth client_secret and refresh_token for Google Calendar setup.
Evidence against
  • No install-time network, credential reading, or exfiltration found in package.json postinstall.
  • Runtime network is package-aligned Google Calendar OAuth/API via @googleapis/calendar and google-auth-library in dist/reader.js and dist/setup.js.
  • dist/config.js stores adapter config through usrcp-adapter-kit with secret fields and cursor writes.
  • dist/capture.js appends normalized calendar event metadata to local USRCP ledger; no outbound sink found.
  • No eval/vm/dynamic remote loading/native binary loader beyond dependency rebuild behavior found by source grep.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 31.1 KB of source, external domains: www.googleapis.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowUrl Strings