registry  /  @transcend-io/cli  /  10.10.0

@transcend-io/cli@10.10.0

A command line interface for programmatic operations across Transcend.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Transcend administration CLI with user-invoked API, CSV/YAML, policy, and worker commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs transcend or imports package APIs
Impact
Can modify Transcend tenant data or local output files when invoked with credentials and paths
Mechanism
package-aligned CLI operations using local files and Transcend APIs
Rationale
Static inspection shows risky primitives are tied to explicit CLI/admin workflows and package-aligned Transcend endpoints, with no lifecycle trigger or unconsented agent/control-surface mutation. The Unicode finding is explained by input normalization rather than hidden control-flow manipulation.
Evidence
package.jsondist/bin/cli.mjsdist/bin/deprecated-command.mjsdist/bin/bash-complete.mjsdist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsdist/constants-FP8lxFg5.mjsdist/impl-CWpfY0TU.mjsdist/runOpa-Cbh5ktOh.mjsdist/readCsv-C-5HBa7w.mjsdist/writeCsv-CbT4a0uj.mjs
Network endpoints3
api.transcend.ioconsent.transcend.ioapp.transcend.io

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI can read/write local CSV/YAML/receipt files and call Transcend APIs.
  • User-invoked commands include child_process for git/opa/worker flows, not lifecycle execution.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin entrypoints only run stricli CLI, bash completion, or deprecated-command help mapping.
  • Network defaults are package-aligned: https://api.transcend.io, https://consent.transcend.io, https://app.transcend.io.
  • Scanner Trojan Source hit is a regex stripping bidi chars from phone numbers in dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjs.
  • No Claude/Codex/Cursor/MCP/agent control-surface writes found.
  • No import-time exfiltration, persistence, or destructive behavior confirmed.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 114 file(s), 328 KB of source, external domains: api.transcend.io, api.us.transcend.io, app.transcend.io, consent.transcend.io, consent.us.transcend.io, docs.transcend.io, github.com, www.openpolicyagent.org

Source & flagged code

12 flagged · loading source
dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsView file
1contains invisible/control Unicode U+202D (left-to-right override) import{a as e}from"./constants-FP8lxFg5.mjs";import{t}from"./logger-B-LXIf3U.mjs";import{a as n,c as r,i,l as a,o,r as s,s as c,t as l}from"./constants-KYaYveEQ.mjs";import{i as u,n as d,r as f,t as p}from"./parseAttributesFromString-tbxM3l
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsView on unpkg · L1
Trigger-reachable chain: manifest.main -> dist/index.mjs -> [redacted]-i46OEhw-.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjsView on unpkg
README.mdView file
1704patternName = generic_password severity = medium line = 1704 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1704
2052patternName = generic_password severity = medium line = 2052 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2052
2628patternName = generic_password severity = medium line = 2628 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2628
2737patternName = generic_password severity = medium line = 2737 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2737
2752patternName = generic_password severity = medium line = 2752 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2752
3330patternName = generic_password severity = medium line = 3330 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3330
3341patternName = generic_password severity = medium line = 3341 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3341
3353patternName = generic_password severity = medium line = 3353 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3353
3365patternName = generic_password severity = medium line = 3365 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3365
3377patternName = generic_password severity = medium line = 3377 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3377

Findings

2 Critical12 Medium4 Low
CriticalTrojan Source Unicodedist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/uploadPrivacyRequestsFromCsv-i46OEhw-.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings