PkgRadar

Package evidence

@blade-ai/[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
118
Versions published
35
First published
Feb 2026
Publisher
echovic

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@blade-ai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@blade-ai/[email protected]"],"fail_on":"review"}'
Publisherechovic
Artifact bytes307,920
Previous version1.0.7
Published2026-04-23T12:27:47.977Z
SHA-2560d4dde3c9ca253106d892b36ba762e873c82db50eb9fed714519dff1f8f8b82d

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
1.0.8Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/index.jsmatched ".npmrc"5

Manifest

Package metadata

Scripts13
  • buildtsup && tsc -p tsconfig.build.json
  • docs:buildvitepress build docs
  • docs:devvitepress dev docs
  • docs:previewvitepress preview docs
  • lintbiome lint src
  • lint:fixbiome lint --write src
  • releasenode scripts/release.js
  • release:drynode scripts/release.js --dry-run
  • release:majornode scripts/release.js --major
  • release:minornode scripts/release.js --minor
  • release:patchnode scripts/release.js --patch
  • testvitest run
  • type-checktsc --noEmit
Dependencies26
  • @ai-sdk/openai^3.0.53
  • @ai-sdk/openai-compatible^2.0.41
  • @modelcontextprotocol/sdk^1.29.0
  • ai^6.0.168
  • async-mutex^0.5.0
  • axios^1.15.2
  • chalk^5.6.2
  • diff^9.0.0
  • fast-glob^3.3.3
  • fuse.js^7.3.0
  • gray-matter^4.0.3
  • hono^4.12.14
  • js-tiktoken^1.0.21
  • lodash-es^4.17.21
  • lru-cache^11.3.5
  • nanoid^5.1.9
  • open^11.0.0
  • picomatch^4.0.4
  • semver^7.7.4
  • undici^7.16.0
  • write-file-atomic^7.0.1
  • ws^8.20.0
  • yaml^2.8.3
  • zod^3.25.2
  • zod-to-json-schema^3.25.2
  • zustand^5.0.12
Optional dependencies6
  • @ai-sdk/anthropic^3.0.71
  • @ai-sdk/azure^3.0.54
  • @ai-sdk/deepseek^2.0.29
  • @ai-sdk/google^3.0.64
  • @vscode/ripgrep^1.17.0
  • node-pty1.0.0