Package evidence

@chachamaru127/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 909
Versions published: 55
First published: Feb 2026
Publisher: chachamaru127

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@chachamaru127/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@chachamaru127/[email protected]"],"fail_on":"review"}'

Publisherchachamaru127

Artifact bytes15,560,550

Previous version0.25.8

Published2026-05-27T13:32:10.624Z

SHA-2563ea60edcd27410f47b476af9dc721736c9ff336a85a9414bd7f4467142efd892

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

17d agoLast checked

reviewRisk

17Score

0.25.9Version

Status history (1 event)

new → available17d ago · risk review · score 17 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/scripts/test-integration.sh	matched "curl "	12

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/scripts/test-integration.sh	matched "curl "	12
low	Credential file access	package/memory-server/src/sync/github-connector.ts	matched "GITHUB_TOKEN"	5

Manifest

Package metadata

Scripts21

benchmarkcd memory-server && bun run src/benchmark/run-ci.ts
benchmark:developer-domainbun run scripts/s108-developer-domain-manifest.ts
benchmark:pilot30bash scripts/bench-pilot-30usd.sh
benchmark:pilot30:dry-runbash scripts/bench-pilot-30usd.sh --dry-run
benchmark:recall-runtimebun run scripts/s128-recall-runtime-gate.ts
benchmark:recall-runtime:readinessbun run scripts/s128-enforce-readiness-pack.ts
benchmark:swebench-probash scripts/bench-swebench-pro.sh
benchmark:swebench-pro:dry-runbash scripts/bench-swebench-pro.sh --dry-run
benchmark:swebench-pro:smokebash scripts/bench-swebench-pro.sh --repo-path ../SWE-bench_Pro-os --subset-manifest smoke --runner local-docker --model gpt-5-mini --mode on-off --dry-run
benchmark:tau3bash scripts/bench-tau3.sh
benchmark:tau3:dry-runbash scripts/bench-tau3.sh --dry-run
benchmark:tau3:smokebash scripts/bench-tau3.sh --repo-path ../tau2-bench --domain retail --task-split-name base --num-tasks 1 --num-trials 1 --mode on-off --dry-run
benchmark:tune-adaptivecd memory-server && bun run src/benchmark/adaptive-tuning.ts
benchmark:workgraph:readinessbun run scripts/s125-workgraph-enforce-readiness-pack.ts
codex:doctornode scripts/harness-mem.js doctor --platform codex
codex:setupbash scripts/setup-codex-memory.sh
poc:graph-kuzunpx tsx scripts/graph-store-poc-kuzu.ts
poc:graph-sqlitebun run scripts/graph-store-poc-sqlite-cte.ts
test(cd memory-server && bun run test) && bash scripts/run-bun-test-batches.sh tests sdk/tests mcp-server/tests
test:e2ecd harness-mem-ui && bunx playwright test
test:uicd harness-mem-ui && bunx vitest

Dependencies2

@huggingface/transformers3.8.1
sharp0.34.5

Optional dependencies2

@img/sharp-libvips-darwin-arm641.2.4
sqlite-vec-darwin-arm640.1.9