AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Transcend administration CLI with user-invoked API, CSV/YAML, policy, and worker commands.
Decision evidence
public snapshot- User-invoked CLI can read/write local CSV/YAML/receipt files and call Transcend APIs.
- User-invoked commands include child_process for git/opa/worker flows, not lifecycle execution.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin entrypoints only run stricli CLI, bash completion, or deprecated-command help mapping.
- Network defaults are package-aligned: https://api.transcend.io, https://consent.transcend.io, https://app.transcend.io.
- Scanner Trojan Source hit is a regex stripping bidi chars from phone numbers in dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjs.
- No Claude/Codex/Cursor/MCP/agent control-surface writes found.
- No import-time exfiltration, persistence, or destructive behavior confirmed.
Source & flagged code
12 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsView on unpkg