npm · registry.npmjs.org
create-spec-kit
Credential File Packaged: package/scaffold/.github/skills/claudeskill-loki-mode/.env
Why PkgRadar flagged 1.1.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential File Packaged | package/scaffold/.github/skills/claudeskill-loki-mode/.env · package/scaffold/.github/skills/claudeskill-loki-mode/.env |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/scaffold/.github/skills/claudeskill-loki-mode/blog/js/main.js |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/app-runner.sh |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/notify.sh |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/sandbox.sh |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/serve.sh |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/telemetry.sh |
| medium | Remote Payload | matched "curl " · package/scaffold/.github/skills/claudeskill-loki-mode/autonomy/voice.sh |
| medium | Suspicious Publish Context | {"package_age_days":0,"publisher":"alive_phoenix","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true} |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
1.1.0 | High risk | 122 | 2026-06-15 |
1.0.0 | High risk | 122 | 2026-06-15 |
Block this in CI
pkgradar gate --ecosystem npm [email protected]