PkgRadar

Package evidence

@aoagents/[email protected]

Credential file access: matched ".ssh"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@aoagents/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@aoagents/[email protected]"],"fail_on":"high"}'
Publisheragentwrapper
Artifact bytes1,231,570
Previous version0.9.1
Published2026-05-23T19:07:06.988Z
SHA-256740470a587b2509baa766b2d88c0b6995ec84474581009ca2c95a1600241b80c

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
204Score
0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933Version
Status history (1 event)
  1. newavailable · risk high · score 204 · status changed

Evidence

Static findings

47 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/.next/server/chunks/4422.jsmatched ".ssh"30
highCredential file accesspackage/.next/server/app/api/filesystem/browse/route.jsmatched ".ssh"30
mediumObfuscation Densitypackage/.next/static/chunks/1d2d5650.1ef8611b5325bd83.jshigh encoded/escaped-token density12
Show all 47 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/.next/server/chunks/4422.jsmatched ".ssh"30
highCredential file accesspackage/.next/server/app/api/filesystem/browse/route.jsmatched ".ssh"30
mediumObfuscation Densitypackage/.next/static/chunks/1d2d5650.1ef8611b5325bd83.jshigh encoded/escaped-token density12
lowObfuscationpackage/.next/server/pages/_error.jsmatched "\\x3e"3
lowObfuscationpackage/.next/static/chunks/1089-c6d7995c7c19039a.jsmatched "\\x1b"3
lowObfuscationpackage/.next/static/chunks/1461-af7c54935f21d56d.jsmatched "atob("3
lowObfuscationpackage/.next/server/chunks/1876.jsmatched "\\xab"3
lowObfuscationpackage/.next/static/chunks/1d2d5650.1ef8611b5325bd83.jsmatched "\\x1b"3
lowObfuscationpackage/.next/server/chunks/2810.jsmatched "\\xd7"3
lowObfuscationpackage/.next/server/chunks/2914.jsmatched "fromCharCode"3
lowObfuscationpackage/.next/static/chunks/3764.c045e43e67eb2378.jsmatched "\\x02"3
lowObfuscationpackage/.next/server/chunks/4148.jsmatched "\\x3c"3
lowObfuscationpackage/.next/server/chunks/4155.jsmatched "\\x1b"3
lowObfuscationpackage/.next/server/chunks/4422.jsmatched "\\x1b"3
lowObfuscationpackage/.next/static/chunks/5204.7de7e266895bced7.jsmatched "\\x1b"3
lowObfuscationpackage/.next/static/chunks/6231-021ce048ebb4db80.jsmatched "\\uD83D"3
lowObfuscationpackage/.next/server/chunks/6582.jsmatched "\\uFEFF"3
lowObfuscationpackage/.next/server/chunks/680.jsmatched "\\x3c"3
lowObfuscationpackage/.next/server/chunks/6848.jsmatched "\\uD83D"3
lowObfuscationpackage/.next/static/chunks/7494-6ac4a80d2ed79870.jsmatched "\\x3c"3
lowObfuscationpackage/.next/server/chunks/8803.jsmatched "\\u0026"3
lowObfuscationpackage/.next/static/chunks/88a6fc35-f836b4b72df5eafa.jsmatched "\\u00C0"3
lowObfuscationpackage/.next/static/chunks/9293-e0ee967c1303da9f.jsmatched "\\xd7"3
lowObfuscationpackage/.next/server/chunks/9536.jsmatched "\\x1b"3
lowObfuscationpackage/.next/server/chunks/9561.jsmatched "\\x1b"3
lowObfuscationpackage/.next/static/chunks/framework-7060e2ac4971c604.jsmatched "\\u00C0"3
lowObfuscationpackage/.next/static/chunks/app/layout-f3191fa051ba9fdd.jsmatched "\\x1b"3
lowObfuscationpackage/.next/static/chunks/main-ed1610689fbd6f0d.jsmatched "fromCharCode"3
lowObfuscationpackage/.next/static/chunks/app/review/page-028026ab1b9fb220.jsmatched "\\xb7"3
lowObfuscationpackage/.next/static/chunks/app/dev/terminal-test/page-1fbaf7b159f3264c.jsmatched "\\uD83D"3
lowObfuscationpackage/.next/server/app/dev/terminal-test/page.jsmatched "\\uD83D"3
lowObfuscationpackage/.next/server/app/review/page.jsmatched "\\xb7"3
lowObfuscationpackage/.next/static/chunks/polyfills-42372ed130431b0a.jsmatched "\\u2028"3
lowObfuscationpackage/.next/server/app/api/issues/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/orchestrators/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/reviews/execute/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/reviews/findings/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/reviews/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/reviews/send/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/kill/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/message/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/remap/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/restore/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/sessions/[id]/send/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/spawn/route.jsmatched "\\x00"3
lowObfuscationpackage/.next/server/app/api/verify/route.jsmatched "\\x00"3

Manifest

Package metadata

Scripts15
  • buildnext build && tsc -p tsconfig.server.json && node scripts/stamp-version.js
  • cleannode scripts/guard-production-artifact-clean.mjs && rimraf .next dist-server
  • devconcurrently "npm:dev:next" "npm:dev:direct-terminal"
  • dev:direct-terminalnode scripts/dev-direct-terminal.mjs
  • dev:nextnext dev -p ${PORT:-3000}
  • dev:optimizedrimraf .next dist-server && next build && tsc -p tsconfig.server.json && node dist-server/start-all.js
  • prebuildnode scripts/guard-production-artifact-clean.mjs && rimraf .next dist-server
  • screenshottsx e2e/screenshot.ts
  • screenshot:installnpx playwright install chromium
  • startnext start
  • start:allnode dist-server/start-all.js
  • testvitest run
  • test:e2e:reviewtsx e2e/review-board.e2e.ts
  • test:watchvitest
  • typechecktsc --noEmit
Dependencies22
  • @aoagents/ao-core0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-claude-code0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-codex0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-cursor0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-grok0.1.3-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-kimicode0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-agent-opencode0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-runtime-process0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-runtime-tmux0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-scm-github0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-tracker-github0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-tracker-linear0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @aoagents/ao-plugin-workspace-worktree0.9.2-nightly-5d0b624fbef5668d82672179c48309ea74403933
  • @xterm/addon-fit^0.11.0
  • @xterm/addon-web-links^0.12.0
  • @xterm/xterm^6.0.0
  • next^15.1.0
  • next-themes^0.4.6
  • react^19.0.0
  • react-dom^19.0.0
  • server-only^0.0.1
  • ws^8.19.0
Optional dependencies1
  • node-pty^1.1.0