npm · registry.npmjs.org

@blockrun/clawrouter

Remote Payload: matched "curl "

Why PkgRadar flagged 0.12.197

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · package/scripts/reinstall.sh
medium	Large Javascript Payload	3292365 bytes · package/dist/cli.js
medium	Large Javascript Payload	3146293 bytes · package/dist/index.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.12.208`	Low risk	0	2026-06-11
`0.12.207`	Low risk	0	2026-06-11
`0.12.63`	Low risk	0	2026-06-10
`0.12.206`	Low risk	0	2026-06-10
`0.12.205`	Low risk	0	2026-06-08
`0.12.204`	Low risk	0	2026-06-08
`0.12.203`	Low risk	0	2026-06-06
`0.12.202`	Low risk	0	2026-06-06
`0.12.201`	Low risk	0	2026-06-06
`0.12.200`	Low risk	0	2026-06-01
`0.12.199`	Low risk	0	2026-05-31
`0.12.198`	Low risk	0	2026-05-29
`0.12.197`	Review	22	2026-05-27
`0.12.195`	Review	44	2026-05-24
`0.12.196`	Review	44	2026-05-24

Block this in CI

PkgRadar gates @blockrun/clawrouter (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @blockrun/[email protected]