registry  /  @transcend-io/cli  /  10.12.1

@transcend-io/cli@10.12.1

A command line interface for programmatic operations across Transcend.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a broad Transcend operations CLI with user-invoked API, CSV/YAML, policy, and file-processing commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the transcend CLI or legacy bin aliases
Impact
Can read/write user-specified files and call Transcend APIs when invoked with credentials, but no install-time or import-time abuse was found
Mechanism
authenticated Transcend CLI operations and local import/export helpers
Rationale
Static inspection shows no lifecycle hook, no foreign AI-agent control-surface mutation, and no credential/file exfiltration outside package-aligned Transcend CLI behavior. Scanner findings map to legitimate user-invoked CLI functionality, including API calls, local file import/export, and a bidi-character regex used for phone cleanup.
Evidence
package.jsondist/bin/cli.mjsdist/bin/deprecated-command.mjsdist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjsdist/constants-W0InNUWp.mjsdist/runOpa-BLjrKfy_.mjsdist/context-CdSyuBlf.mjs
Network endpoints4
api.transcend.ioapi.us.transcend.ioconsent.transcend.ioapp.transcend.io

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle scripts
    • dist/bin/cli.mjs only invokes @stricli/core run with process argv
    • dist/bin/deprecated-command.mjs only prints deprecation/help text and exits
    • dist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjs bidi characters occur in a phone-normalization regex, not hidden control flow
    • Network use is Transcend API/Sombra/consent service aligned and gated by CLI auth flags
    • child_process usage is limited to user-invoked OPA/git/duckdb helper commands
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 121 file(s), 333 KB of source, external domains: api.transcend.io, api.us.transcend.io, app.transcend.io, consent.transcend.io, consent.us.transcend.io, docs.transcend.io, github.com, www.openpolicyagent.org

    Source & flagged code

    12 flagged · loading source
    dist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjsView file
    1contains invisible/control Unicode U+202D (left-to-right override) import{a as e}from"./constants-W0InNUWp.mjs";import{t}from"./logger-B-LXIf3U.mjs";import{a as n,c as r,i,l as a,o,r as s,s as c,t as l}from"./constants-KYaYveEQ.mjs";import{n as u,t as d}from"./fuzzyMatchColumns-Dym9eeQe.mjs";import{n as f,
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjsView on unpkg · L1
    Trigger-reachable chain: manifest.main -> dist/index.mjs -> [redacted]-dgtJzNwi.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjsView on unpkg
    README.mdView file
    1706patternName = generic_password severity = medium line = 1706 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L1706
    2054patternName = generic_password severity = medium line = 2054 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L2054
    2630patternName = generic_password severity = medium line = 2630 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L2630
    2739patternName = generic_password severity = medium line = 2739 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L2739
    2754patternName = generic_password severity = medium line = 2754 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L2754
    3332patternName = generic_password severity = medium line = 3332 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L3332
    3343patternName = generic_password severity = medium line = 3343 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L3343
    3355patternName = generic_password severity = medium line = 3355 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L3355
    3367patternName = generic_password severity = medium line = 3367 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L3367
    3379patternName = generic_password severity = medium line = 3379 matchedText = --passwo...D" \
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L3379

    Findings

    2 Critical12 Medium4 Low
    CriticalTrojan Source Unicodedist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/uploadPrivacyRequestsFromCsv-dgtJzNwi.mjs
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings