AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The explicit CLI command fetches translations and writes JSON output, matching the package purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `zeedhi-translate download <organization-id> <repository-id>`.
Impact
Creates translation JSON files using paths returned by the selected translation service; no automatic install-time action occurs.
Mechanism
User-invoked HTTP translation download and JSON generation.
Rationale
The package is an explicit CLI for downloading translations and writing JSON files, with no lifecycle execution or concrete malicious chain. The scanner's built-in-name dependency signal is unsupported by the inspected source.
Evidence
package.jsonbin/zeedhi-translate.jssrc/download.jssrc/util/enhanceErrorMessages.jsREADME.md
Network endpoints2
translate.teknisa.com/backend/index.php/getWordsByRepositoryrc-translate.teknisa.com/backend/index.php/getWordsByRepository
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `src/download.js` accepts `--runAt` as a caller-selected endpoint and writes generated JSON paths supplied in that endpoint's response.
- The manifest declares a third-party `path` dependency, but package source does not require it; this is a noisy static hint.
Evidence against
- `package.json` has no preinstall/install/postinstall or other lifecycle scripts.
- `bin/zeedhi-translate.js` runs only through the explicit `zeedhi-translate download` command.
- `src/download.js` posts only organization/repository IDs to translation endpoints and generates translation JSON files.
- No shell execution, eval/dynamic loading, credential harvesting, persistence, or AI-agent configuration writes appear in inspected source.
Behavioral surface
UrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Low
HighNode Builtin Dependency Squatpackage.json
LowUrl Strings