PkgRadar

Package evidence

@claudiolabs/[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
3
First published
Jun 2026
Publisher
viudes

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@claudiolabs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@claudiolabs/[email protected]"],"fail_on":"review"}'
Publisherviudes
Artifact bytes3,723,572
Previous version0.5.8
Published2026-06-05T03:34:35.196Z
SHA-2560aa47c95cf5ac6afa19ac52fe0d8ecacd6d40c41571d9275715b8ab228e68bfa

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
35Score
0.5.9Version
Status history (1 event)
  1. newavailable · risk review · score 35 · status changed

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 7 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/chunks/cli-0.5.9-0b1wx67c.mjsmatched ".ssh/"5
lowCredential file accesspackage/dist/chunks/cli-0.5.9-j2d1jct8.mjsmatched "AWS_SECRET_ACCESS_KEY"5
lowCredential file accesspackage/dist/chunks/cli-0.5.9-mhz9wt6a.mjsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/chunks/cli-0.5.9-zrcz538q.mjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/chunks/index-0.5.9-pbzzad7t.mjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/chunks/index-0.5.9-y07jxja1.mjsmatched "aws_access_key"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall-warmup.mjs"5

Manifest

Package metadata

Scripts35
  • buildbun run scripts/build.ts
  • build:extensionmkdir -p dist && cd vscode-extension/claudin-vscode && bun install --frozen-lockfile && npx --yes @vscode/vsce@^3 package --out ../../dist/claudin-vscode.vsix
  • build:releasebun run build:extension && CLAUDIN_RELEASE_BUILD=1 bun run build
  • build:verifiedbun run build && bun run verify:privacy
  • devbun run build && node dist/cli.mjs
  • linkbun link
  • postinstallnode scripts/postinstall-warmup.mjs
  • prepacknpm run build:release
  • profilebun run scripts/profile/run-all.ts
  • profile:code-outlinebun run scripts/profile/code-outline-bench.ts
  • profile:cold-startbun run scripts/profile/cold-start-bench.ts
  • profile:file-read-cache-saturationbun --expose-gc run scripts/profile/file-read-cache-saturation-bench.ts
  • profile:heap-snapshot-diffbun --expose-gc run scripts/profile/heap-snapshot-diff-bench.ts
  • profile:inputbun run scripts/profile/input-bench.ts
  • profile:long-sessionbun --expose-gc run scripts/profile/long-session-bench.ts
  • profile:membun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts
  • profile:mem:500bun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts --turns=500 --payload-kb=200 --payload-jitter=100 --with-compact --with-clear --compact-every=100 --clear-every=200 --inflection --output=scripts/profile/baselines/memory-turn-by-turn.json --csv=scripts/profile/baselines/memory-turn-by-turn.csv
  • profile:mem:cibun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts --turns=100 --payload-kb=50 --with-compact --with-clear --compact-every=25 --clear-every=50 --inflection --json
  • profile:memorybun run scripts/profile/memory-bench.ts
  • profile:query-engine-membun --expose-gc run scripts/profile/query-engine-mem-bench.ts
  • profile:skills-pluginbun --expose-gc run scripts/profile/skills-plugin-bench.ts
  • profile:startup-phasesbun run scripts/profile/startup-phases-bench.ts
  • profile:streamingbun run scripts/profile/streaming-bench.ts --compare
  • profile:streaming-shimbun --expose-gc run scripts/profile/streaming-shim-bench.ts
  • profile:transcriptbun run scripts/profile/transcript-bench.ts --with-code
  • security:pr-scanbun run scripts/pr-intent-scan.ts
  • setupbun install && bun run build && bun link
  • smokebun run build && node dist/cli.mjs --version && node dist/cli.mjs --help >/dev/null
  • startnode dist/cli.mjs
  • testbun test
  • …and 5 more.
Dependencies61
  • @alcalzone/ansi-tokenize0.3.0
  • @anthropic-ai/bedrock-sdk^0.29.2
  • @anthropic-ai/foundry-sdk0.2.4
  • @anthropic-ai/sdk^0.100.1
  • @anthropic-ai/vertex-sdk^0.16.1
  • @commander-js/extra-typings15
  • @mendable/firecrawl-js^4.25.2
  • @modelcontextprotocol/sdk1.29.0
  • ajv^8.20.0
  • auto-bind5.0.1
  • axios^1.17.0
  • bidi-js1.0.3
  • chalk5.6.2
  • chokidar5.0.0
  • cli-boxes4
  • cli-highlight2.1.11
  • code-excerpt4.0.0
  • commander15
  • cross-spawn7.0.6
  • diff9.0.0
  • duck-duck-scrape^2.2.7
  • emoji-regex10.6.0
  • env-paths4
  • execa9.6.1
  • fflate0.8.3
  • figures6.1.0
  • fuse.js^7.4.1
  • get-east-asian-width^1.6.0
  • google-auth-library^10.7.0
  • https-proxy-agent9.0.0
  • …and 31 more.