AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a broad Transcend administration CLI with explicit commands for syncing privacy data, scanning dependency files, and writing requested output files.
Decision evidence
public snapshot- User-invoked CLI can read/write caller-specified CSV/YAML/JSON outputs and receipts
- User-invoked commands can run local tools such as git, opa, and duckdb for documented scanning/policy workflows
- package.json has no preinstall/install/postinstall/prepare lifecycle hooks
- bin entrypoints only invoke @stricli CLI or deprecated-command help mapping
- dist/constants-rqnINlU5.mjs endpoints are Transcend product URLs with env overrides
- dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjs bidi chars occur in a regex stripping phone-number controls, not hidden control flow
- No writes to AI-agent control surfaces such as .mcp.json, CLAUDE.md, Cursor, Claude, or Codex settings found
- Network and credential use is tied to explicit Transcend/OneTrust CLI commands requiring user-supplied auth
Source & flagged code
12 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsView on unpkg