Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 715
- Versions published
- 227Established · −30% score
- First published
- Nov 2025
- Publisher
- christso
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@agentv/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@agentv/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 7 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/chunk-DZJ3OIF6.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/dist-es-L6R4FPI5.js | matched "aws_access_key" | 5 |
| low | Large Javascript Payload | package/dist/index.cjs | 7726527 bytes | 0 |
| low | Large Javascript Payload | package/dist/dist-BOIN5LC5.js | 2740771 bytes | 0 |
Manifest
Package metadata
Scripts11
buildtsupdevbun --watch src/index.tsdiagnostics:azurebun src/diagnostics/azure-deployment-diag.tsfixbiome check --write .formatbiome format --write .generate:schemabun scripts/generate-eval-schema.tslintbiome check .prepublishOnlynode -e "if(process.env.ALLOW_PUBLISH!=='1'){console.error('ERROR: Use bun run publish:next, then bun run promote:latest');process.exit(1)}"testbun testtest:watchbun test --watchtypechecktsc --noEmit
Dependencies16
@agentclientprotocol/sdk^0.14.1@agentv/evalworkspace:*@ai-sdk/anthropic^3.0.0@ai-sdk/azure^3.0.0@ai-sdk/google^3.0.0@ai-sdk/openai^3.0.0@anthropic-ai/claude-agent-sdk^0.2.49@github/copilot-sdk^0.1.25@openai/codex-sdk^0.104.0@openrouter/ai-sdk-provider^2.3.1ai^6.0.0fast-glob^3.3.3json5^2.2.3micromatch^4.0.8yaml^2.6.0zod^3.23.8
Optional dependencies6
@opentelemetry/api^1.9.0@opentelemetry/core^2.5.1@opentelemetry/exporter-trace-otlp-http^0.212.0@opentelemetry/resources^2.5.1@opentelemetry/sdk-trace-node^2.5.1@opentelemetry/semantic-conventions^1.39.0