registry  /  @zeedhi/translate  /  1.131.0

@zeedhi/translate@1.131.0

Zeedhi Translate

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The explicit CLI command fetches translations and writes JSON output, matching the package purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `zeedhi-translate download <organization-id> <repository-id>`.
Impact
Creates translation JSON files using paths returned by the selected translation service; no automatic install-time action occurs.
Mechanism
User-invoked HTTP translation download and JSON generation.
Rationale
The package is an explicit CLI for downloading translations and writing JSON files, with no lifecycle execution or concrete malicious chain. The scanner's built-in-name dependency signal is unsupported by the inspected source.
Evidence
package.jsonbin/zeedhi-translate.jssrc/download.jssrc/util/enhanceErrorMessages.jsREADME.md
Network endpoints2
translate.teknisa.com/backend/index.php/getWordsByRepositoryrc-translate.teknisa.com/backend/index.php/getWordsByRepository

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/download.js` accepts `--runAt` as a caller-selected endpoint and writes generated JSON paths supplied in that endpoint's response.
  • The manifest declares a third-party `path` dependency, but package source does not require it; this is a noisy static hint.
Evidence against
  • `package.json` has no preinstall/install/postinstall or other lifecycle scripts.
  • `bin/zeedhi-translate.js` runs only through the explicit `zeedhi-translate download` command.
  • `src/download.js` posts only organization/repository IDs to translation endpoints and generates translation JSON files.
  • No shell execution, eval/dynamic loading, credential harvesting, persistence, or AI-agent configuration writes appear in inspected source.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 6.30 KB of source, external domains: rc-translate.teknisa.com, translate.teknisa.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Low
HighNode Builtin Dependency Squatpackage.json
LowUrl Strings