AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked Transcend administration CLI with expected API, filesystem, and local tool operations for importing/exporting privacy, consent, inventory, and policy data.
Decision evidence
public snapshot- User-invoked commands can read/write CSV/YAML/receipts and call Transcend APIs
- dist/impl-BoIgxdNp.mjs uses execSync for git config in scan-packages
- dist/impl-CmPkzyZT.mjs runs opa/tar/git for policy publishing
- package.json has no preinstall/install/postinstall lifecycle hooks
- dist/bin/cli.mjs only dispatches CLI args through @stricli/core
- dist/bin/deprecated-command.mjs only prints deprecation help and exits
- Trojan-source hint not confirmed: bidi/invisible scan of uploadPrivacyRequestsFromCsv files returned no hits
- Network defaults are package-aligned Transcend endpoints in dist/constants-B6wEjJhL.mjs
- No Claude/Codex/Cursor/MCP control-surface writes found
Source & flagged code
12 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsView on unpkg