Cargo · crates.io

ins

Remote Payload: matched "curl "

Why PkgRadar flagged 0.13.35

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · ins-0.13.35/src/common/network.rs
medium	Remote Payload	matched "curl " · ins-0.13.35/src/dev/setup.rs
medium	Remote Payload	matched "github.com/ryanoasis/nerd-fonts/releases/download" · ins-0.13.35/src/doctor/checks/nerdfont.rs
medium	Remote Payload	matched "curl " · ins-0.13.35/src/doctor/checks/tools.rs
medium	Remote Payload	matched "github.com/stenzek/duckstation/releases/download" · ins-0.13.35/src/game/platforms/duckstation.rs
medium	Remote Payload	matched "raw.githubusercontent.com" · ins-0.13.35/src/game/platforms/ludusavi/manifest.rs
medium	Remote Payload	matched "curl " · ins-0.13.35/src/video/document/mod.rs
medium	Remote Payload	matched "curl " · ins-0.13.35/src/video/pipeline/setup.rs
medium	Remote Payload	matched "raw.githubusercontent.com" · ins-0.13.35/src/wallpaper/common.rs

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.13.35`	High risk	75	2026-05-30

Block this in CI

PkgRadar gates ins (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem cargo [email protected]