npm · registry.npmjs.org

@openape/ape-agent

Credential file access: matched ".ssh"

Why PkgRadar flagged 2.8.12

Severity	Signal	Evidence
high	Credential file access	matched ".ssh" · package/dist/bridge.mjs
medium	Remote Payload	matched "curl " · package/dist/bridge.mjs
medium	Obfuscation Density	high encoded/escaped-token density · package/dist/bridge.mjs

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.10.0`	Low risk	0	2026-06-10
`2.9.2`	Low risk	0	2026-06-04
`2.9.0`	Low risk	0	2026-06-03
`2.9.1`	Low risk	0	2026-06-03
`2.8.14`	Low risk	0	2026-06-03
`2.8.13`	Low risk	0	2026-06-03
`2.8.12`	Review	42	2026-05-24
`2.8.11`	Review	42	2026-05-24
`2.8.10`	Review	42	2026-05-24
`2.8.9`	Review	42	2026-05-24
`2.8.8`	Review	42	2026-05-24
`2.8.7`	Review	42	2026-05-24
`2.8.6`	Review	42	2026-05-24
`2.8.5`	Review	42	2026-05-24
`2.8.4`	Review	42	2026-05-24

Block this in CI

PkgRadar gates @openape/ape-agent (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @openape/[email protected]