npm · registry.npmjs.org

@kendoo.agentdesk/agentdesk

Credential file access: matched "GITHUB_TOKEN"

Why PkgRadar flagged 0.25.2

Severity	Signal	Evidence
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/bootstrap.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/init.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/orchestrator.mjs
high	Credential file access	matched ".ssh" · package/cli/prompt.mjs
high	Credential file access	matched ".ssh" · package/cli/session-isolation.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/session-preflight.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/session-sandbox.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/setup-helpers.mjs
high	Credential file access	matched "GITHUB_TOKEN" · package/cli/tracker-check.mjs
medium	Remote Payload	matched "curl " · package/cli/agents.mjs

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.25.2`	Review	112	2026-05-24
`0.26.0`	Review	112	2026-05-24

Related campaigns

Block this in CI

PkgRadar gates @kendoo.agentdesk/agentdesk (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @kendoo.agentdesk/[email protected]