Package evidence
@agent-assembly/[email protected]
New Account With Lifecycle Hook: package first published 12 day(s) ago, 6 total version(s), has lifecycle hook
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 36
- Versions published
- 6
- First published
- Jun 2026
- Publisher
- bryant08
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@agent-assembly/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@agent-assembly/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
New Account With Lifecycle Hook: package first published 12 day(s) ago, 6 total version(s), has lifecycle hook
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | New Account With Lifecycle Hook | package.json | package first published 12 day(s) ago, 6 total version(s), has lifecycle hook | 10 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | New Account With Lifecycle Hook | package.json | package first published 12 day(s) ago, 6 total version(s), has lifecycle hook | 10 |
| low | Install-time lifecycle script | package.json | postinstall="node ./scripts/postinstall.mjs" | 5 |
Manifest
Package metadata
Scripts13
buildpnpm run build:esm && pnpm run build:cjsbuild:cjstsc -p tsconfig.cjs.json && node ./scripts/write-cjs-package-json.mjsbuild:esmtsc -p tsconfig.build.jsonformatprettier --write .gen:protonode ./scripts/gen-proto.mjslinteslint .native:buildpnpm exec napi build --manifest-path native/aa-ffi-node/Cargo.toml --output-dir native/aa-ffi-node --no-js --dts index.d.ts --js-package-name @agent-assembly/sdknative:build:releasepnpm exec napi build --manifest-path native/aa-ffi-node/Cargo.toml --output-dir native/aa-ffi-node --release --platform --no-js --dts index.d.ts --js-package-name @agent-assembly/sdknative:check-typestsc --strict --noEmit --ignoreConfig native/aa-ffi-node/index.d.tspostinstallnode ./scripts/postinstall.mjstestvitest runtest:coveragevitest run --coverage --coverage.reporter=lcov --coverage.reporter=texttypechecktsc -p tsconfig.test.json --noEmit
Dependencies2
@bufbuild/protobuf^2.12.0@grpc/grpc-js^1.14.4
Optional dependencies4
@agent-assembly/runtime-darwin-arm640.0.1-alpha.8@agent-assembly/runtime-darwin-x640.0.1-alpha.8@agent-assembly/runtime-linux-arm640.0.1-alpha.8@agent-assembly/runtime-linux-x640.0.1-alpha.8