registry  /  @anime.club/translations  /  1.1.165

@anime.club/translations@1.1.165

This repository contains all translations for the [Anime.club](https://anime.club) website 😉

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The only unresolved attack surface is install-time execution through a postinstall script. The shipped source otherwise appears to be translation data and type declarations.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or compatible package installation lifecycle
Impact
Runs external tooling during install; no package-local malicious payload confirmed by source inspection.
Mechanism
postinstall invokes bunx config prepare
Attack narrative
On installation, the package manager can run package.json postinstall, which invokes bunx with config prepare. The package-local source does not contain exfiltration or destructive logic, but the lifecycle script hands execution to external tooling not included in the package source, leaving install-time behavior unresolved.
Rationale
Static inspection found no malicious code in the translation files, but an install lifecycle script that executes external tooling is real unresolved install-time risk for a data-only translations package. This warrants warning rather than blocking because no concrete malicious payload or exfiltration behavior is present in the inspected package files.
Evidence
package.jsonsrc/english.tssrc/*.tstypes/interfaces.d.ts

Decision evidence

public snapshot
AI called this Suspicious at 72.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: bunx config prepare
  • postinstall delegates execution to bunx/config rather than translation source code
  • No package-local implementation of the install command is present to inspect
Evidence against
  • src/*.ts are static exported translation objects with simple interpolation callbacks
  • types/interfaces.d.ts only imports the English type shape
  • No source references to fs, child_process, eval, fetch, process.env, credential harvesting, or persistence
  • No package-local network endpoints beyond README/repository links
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 490 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx config prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx config prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings