registry  /  @transcend-io/cli  /  10.12.0

@transcend-io/cli@10.12.0

A command line interface for programmatic operations across Transcend.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a broad Transcend administration CLI with explicit commands for syncing privacy data, scanning dependency files, and writing requested output files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit invocation of the transcend CLI or legacy bin aliases
Impact
Can modify Transcend/OneTrust resources or local output files only when run with user-supplied arguments and credentials
Mechanism
User-invoked product administration commands
Rationale
Static source inspection shows no install-time execution, persistence, exfiltration, or unconsented agent control-surface mutation. Risky primitives are documented, user-invoked CLI administration features aligned with the package purpose.
Evidence
package.jsondist/bin/cli.mjsdist/bin/deprecated-command.mjsdist/constants-rqnINlU5.mjsdist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsdist/impl-BL4tVycI.mjsdist/runOpa-DI_fUjsb.mjs
Network endpoints4
app.transcend.ioapi.transcend.ioconsent.transcend.io{user-supplied OneTrust hostname}

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI can read/write caller-specified CSV/YAML/JSON outputs and receipts
  • User-invoked commands can run local tools such as git, opa, and duckdb for documented scanning/policy workflows
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks
  • bin entrypoints only invoke @stricli CLI or deprecated-command help mapping
  • dist/constants-rqnINlU5.mjs endpoints are Transcend product URLs with env overrides
  • dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjs bidi chars occur in a regex stripping phone-number controls, not hidden control flow
  • No writes to AI-agent control surfaces such as .mcp.json, CLAUDE.md, Cursor, Claude, or Codex settings found
  • Network and credential use is tied to explicit Transcend/OneTrust CLI commands requiring user-supplied auth
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 120 file(s), 332 KB of source, external domains: api.transcend.io, api.us.transcend.io, app.transcend.io, consent.transcend.io, consent.us.transcend.io, docs.transcend.io, github.com, www.openpolicyagent.org

Source & flagged code

12 flagged · loading source
dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsView file
1contains invisible/control Unicode U+202D (left-to-right override) import{a as e}from"./constants-rqnINlU5.mjs";import{t}from"./logger-B-LXIf3U.mjs";import{a as n,c as r,i,l as a,o,r as s,s as c,t as l}from"./constants-KYaYveEQ.mjs";import{i as u,n as d,r as f,t as p}from"./parseAttributesFromString-tbxM3l
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsView on unpkg · L1
Trigger-reachable chain: manifest.main -> dist/index.mjs -> [redacted]-LXCzTs5N.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjsView on unpkg
README.mdView file
1706patternName = generic_password severity = medium line = 1706 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1706
2054patternName = generic_password severity = medium line = 2054 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2054
2630patternName = generic_password severity = medium line = 2630 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2630
2739patternName = generic_password severity = medium line = 2739 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2739
2754patternName = generic_password severity = medium line = 2754 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2754
3332patternName = generic_password severity = medium line = 3332 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3332
3343patternName = generic_password severity = medium line = 3343 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3343
3355patternName = generic_password severity = medium line = 3355 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3355
3367patternName = generic_password severity = medium line = 3367 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3367
3379patternName = generic_password severity = medium line = 3379 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3379

Findings

2 Critical12 Medium4 Low
CriticalTrojan Source Unicodedist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/uploadPrivacyRequestsFromCsv-LXCzTs5N.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings