PkgRadar

npm · registry.npmjs.org

claude-friends

Install Lifecycle Remote Or Exec: postinstall="node -e \"const{cpSync,mkdirSync,unlinkSync}=require('fs'),{join}=require('path'),d=join(require('os').homedir(),'.claude','commands');mkdirSync(d,{recursive:true});try{unlinkSync(join(d,'friend.md'))}catch{};try{unlinkSync(join(d,'friends.md'))}catch{};try{cpSync(join(__dirname,'commands'),d,{recursive:true})}catch{}\""

Why PkgRadar flagged 0.4.18

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"const{cpSync,mkdirSync,unlinkSync}=require('fs'),{join}=require('path'),d=join(require('os').homedir(),'.claude','commands');mkdirSync(d,{recursive:true});try{unlinkSync(join(d,'friend.md'))}catch{};try{unlinkSync(join(d,'friends.md'))}catch{};try{cpSync(join(__dirname,'commands'),d,{recursive:true})}catch{}\"" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.4.18High risk352026-06-05
0.4.19High risk352026-06-05

Block this in CI

PkgRadar gates claude-friends (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence