registry  /  @anime.club/translations  /  1.1.169

@anime.club/translations@1.1.169

This repository contains all translations for the [Anime.club](https://anime.club) website 😉

AI Security Review

scanned 7h ago · by lpm-firewall-ai

No confirmed malicious payload is present in the package source; contents are translation tables. The unresolved surface is install-time execution of `bunx config prepare`, which delegates behavior to an external CLI outside the inspected package files.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / package lifecycle postinstall
Impact
Potential arbitrary install-time code execution by the resolved `config` CLI, but no source-local exfiltration, persistence, or agent hijack was confirmed.
Mechanism
install-time external CLI execution via bunx
Attack narrative
During installation, npm can run `postinstall`, which executes `bunx config prepare`. The reviewed package source itself consists of translation exports and type declarations, but the lifecycle command delegates to an external CLI that is not present in the package files, leaving install-time behavior unresolved from source inspection alone.
Rationale
Source inspection does not show credential harvesting, exfiltration, persistence, destructive actions, or AI-agent control-surface mutation. The install-time `bunx config prepare` hook is unnecessary for a translation data package and executes external code, so this should warn rather than publish-block absent a confirmed payload.
Evidence
package.jsonsrc/english.tstypes/interfaces.d.tsreadme.md

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: `bunx config prepare`
  • postinstall invokes an external CLI name not included in package files or runtime dependencies
  • Lifecycle command can execute during consumer install before any user-invoked package use
Evidence against
  • src/*.ts files inspected are static translation maps exporting text strings/functions
  • types/interfaces.d.ts only imports the English translation type for structure
  • No package source references child_process, eval/vm/Function, credential/env access, file writes, or network APIs
  • No AI-agent control-surface files or writes found in package contents
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 490 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings