Install-time firewall
Block malicious packages on the laptop, at npm install — not after the PR.
A thin wrapper around npm / pip / yarn / pnpm / gem / cargothat checks every package you’re about to install against PkgRadar and refuses the install if any are high-risk — before the package, or its install hooks, ever run.
Install
curl -sSfL https://pkgradar.com/firewall/install.sh | bash
export PKGRADAR_TOKEN=rps_... # free key: https://pkgradar.com/dashboard/keysOpen a new shell. Now npm install, pip install, yarn add are gated automatically — a clean package installs as normal; a malicious one is stopped cold:
$ npm install axolot-ai
🛑 PkgRadar firewall BLOCKED this install — high-risk package(s) detected:
- [email protected] [high] malware: install-time data exfiltration
Install aborted.How it works
- Parses the packages from your install command (
pkg,[email protected],pkg==1.2.3). - One fast round-trip to
POST /gate/<ecosystem>with your API key — verdicts come from PkgRadar’s cache; a never-seen package is scanned on the fly. allowed: false→ prints the offenders and exits non-zero without running the install. Otherwise your real command runs unchanged.
Config
| Env | Default | Meaning |
|---|---|---|
PKGRADAR_TOKEN | — | your API key (required to gate) |
PKGRADAR_FAIL_ON | high | high blocks high/error; review is stricter |
PKGRADAR_STRICT | 0 | 1 = fail closed if the gate is unreachable |
Fails open by default so a PkgRadar outage never blocks your work. Bypass once with command npm install … or append --no-firewall. This complements the CI gate and GitHub App — same verdicts, but enforced at the developer’s install instead of in review.