Go modules · proxy.golang.org
github.com/garagon/aguara
Credential file access: matched ".ssh/"
Why PkgRadar flagged v0.25.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential file access | matched ".ssh/" · github.com/garagon/[email protected]/internal/engine/toxicflow/toxicflow.go |
| high | DNS / OAST exfiltration | matched "dig $(" · github.com/garagon/[email protected]/internal/rules/builtin/exfiltration.yaml |
| medium | Remote Payload | matched "github.com/garagon/aguara/releases/download" · github.com/garagon/[email protected]/cmd/aguara/commands/update.go |
| medium | Remote Payload | matched "curl " · github.com/garagon/[email protected]/internal/engine/agentpolicy/metadata.go |
| medium | Credential file access | matched "id_rsa" · github.com/garagon/[email protected]/internal/engine/nlp/classifier.go |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
v0.25.0 | High risk | 132 | 2026-06-12 |
v0.24.0 | High risk | 127 | 2026-06-11 |
v0.23.0 | High risk | 105 | 2026-06-08 |
v0.22.2 | High risk | 127 | 2026-06-04 |
v0.22.1 | High risk | 127 | 2026-06-02 |
v0.22.0 | High risk | 127 | 2026-05-30 |
v0.21.0 | High risk | 127 | 2026-05-30 |
v0.20.0 | High risk | 115 | 2026-05-30 |
Block this in CI
pkgradar gate --ecosystem go github.com/garagon/[email protected]