npm · registry.npmjs.org

@clawpump/claw-agent

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Why PkgRadar flagged 0.1.1

Severity	Signal	Evidence
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/bin/cli.mjs
high	Credential file access	matched ".npmrc" · package/agent/hermes_cli/security_advisories.py
medium	Remote Payload	matched "raw.githubusercontent.com" · package/agent/apps/desktop/electron/bootstrap-runner.cjs
medium	Remote Payload	matched "curl " · package/agent/plugins/memory/hindsight/__init__.py
medium	Remote Payload	matched "curl " · package/agent/hermes_cli/memory_setup.py
medium	Remote Payload	matched "github.com/KittenML/KittenTTS/releases/download" · package/agent/hermes_cli/setup.py
medium	Credential file access	matched "AWS_ACCESS_KEY" · package/agent/hermes_cli/model_switch.py
medium	Credential file access	matched ".npmrc" · package/agent/tools/skills_guard.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.1.1`	Review	193	2026-06-04
`0.1.0`	Review	193	2026-06-03

Block this in CI

PkgRadar gates @clawpump/claw-agent (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @clawpump/[email protected]

Start free — 25 scans / mo View full evidence