PkgRadar

Package evidence

@br-ai/[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
3
First published
Jun 2026
Publisher
zhenwei.li

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@br-ai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@br-ai/[email protected]"],"fail_on":"review"}'
Publisherzhenwei.li
Artifact bytes768,550
Previous version0.2.0
Published2026-06-03T08:25:16.727Z
SHA-256f707211b68f5f435c9bb91b63efc8653a596da6620fd837b25bdb358d4dccd7a

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
0.2.1Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/bin/install-workflow.jsmatched ".npmrc"5

Manifest

Package metadata

Scripts16
  • demo:runtimenode ./bin/cli.js demo-runtime-smoke
  • hub:sync-assetsnode ./scripts/hub-sync-assets.js
  • prepacknpm run verify:install-ps1-bom
  • test:p1node ./tests/ide/adapter-protocol.test.js && node ./tests/ide/cursor-adapter.test.js && node ./tests/ide/claude-adapter.test.js && node ./tests/ide/ide-sync.test.js && node ./tests/scanner/tech-scanner.test.js && node ./tests/asset/asset-package.test.js && node ./tests/config/config-layer.test.js && node ./tests/p1/multi-project-validation.test.js && node ./tests/p1/p1-integration.test.js
  • test:p2node ./tests/agent/agent-profile.test.js && node ./tests/agent/tool-permission.test.js && node ./tests/agent/file-permission.test.js && node ./tests/agent/agent-context.test.js && node ./tests/agent/collaboration-protocol.test.js && node ./tests/agent/review-repair-loop.test.js && node ./tests/agent/conflict-handler.test.js && node ./tests/p2/p2-integration.test.js
  • test:p3node ./tests/governance/rbac.test.js && node ./tests/governance/asset-review.test.js && node ./tests/governance/audit-log.test.js && node ./tests/governance/gray-release.test.js && node ./tests/governance/rollback.test.js && node ./tests/governance/security-policy.test.js && node ./tests/p3/p3-integration.test.js
  • test:p4node ./tests/visual/event-gateway.test.js && node ./tests/visual/timeline.test.js && node ./tests/visual/hook-dashboard.test.js && node ./tests/visual/agent-visual.test.js && node ./tests/visual/metrics.test.js && node ./tests/visual/risk-board.test.js && node ./tests/p4/p4-integration.test.js
  • test:p5node ./tests/asset/asset-registry.test.js && node ./tests/asset/asset-version.test.js && node ./tests/asset/asset-dependency.test.js && node ./tests/asset/asset-install.test.js && node ./tests/asset/asset-feedback.test.js && node ./tests/asset/asset-manager.test.js && node ./tests/asset/asset-installer.test.js && node ./tests/asset/asset-lifecycle.test.js && node ./tests/asset/asset-fork.test.js && node ./tests/asset/asset-quality.test.js && node ./tests/p5/p5-integration.test.js && node ./tests/p5/p5-real-install-rollback.test.js
  • test:registrynode ./tests/registry/validate-registry.test.js
  • test:runtimenode ./tests/runtime/command-template-renderer.test.js && node ./tests/runtime/runtime-bootstrap.test.js && node ./tests/runtime/runtime-launcher.test.js && node ./tests/runtime/runtime-state-checkpoints.test.js && node ./tests/runtime/archive-change.test.js && node ./tests/runtime/task-orchestrator-runner.test.js && node ./tests/runtime/expert-executor.test.js && node ./tests/runtime/auto-fix-runtime.test.js && node ./tests/runtime/protocol-workflow-registry.test.js && node ./tests/runtime/protocol-update-fast-path.test.js && node ./tests/runtime/protocol-interaction-enhancements.test.js && node ./tests/runtime/spec-start-replay.test.js && node ./tests/runtime/demo-runtime-smoke.test.js && node ./tests/runtime/expert-delivery-template-content.test.js && node ./tests/runtime/sync.test.js && node ./tests/runtime/visual-command.test.js && node ./tests/runtime/hub-install.test.js && node ./tests/runtime/hub-diff.test.js && node ./tests/runtime/hub-upgrade-rollback.test.js && node ./tests/runtime/hub-runtime-report.test.js
  • verify:install-ps1-bomnode ./scripts/verify-install-ps1-bom.js
  • verify:p1npm run test:registry && npm run test:runtime && npm run test:p1 && npm pack --dry-run
  • verify:p2npm run test:registry && npm run test:runtime && npm run test:p1 && npm run test:p2 && npm pack --dry-run
  • verify:p3npm run test:registry && npm run test:runtime && npm run test:p1 && npm run test:p2 && npm run test:p3 && npm pack --dry-run
  • verify:p4npm run test:registry && npm run test:runtime && npm run test:p1 && npm run test:p2 && npm run test:p3 && npm run test:p4 && npm pack --dry-run
  • verify:p5npm run test:registry && npm run test:runtime && npm run test:p1 && npm run test:p2 && npm run test:p3 && npm run test:p4 && npm run test:p5 && npm pack --dry-run
Optional dependencies1
  • node-machine-id^1.1.12