PkgRadar

Package evidence

@claudiolabs/[email protected]

Credential file access: matched "AWS_SECRET_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,590Niche · −30% score
Versions published
35
First published
May 2026
Publisher
viudes

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@claudiolabs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@claudiolabs/[email protected]"],"fail_on":"review"}'
Publisherviudes
Artifact bytes3,655,269
Previous version0.4.4
Published2026-05-31T16:32:21.536Z
SHA-2562c732c3598faf29d0e8a59ec063909ba8c96cdef07c251ec880e209a41179bad

Why flagged

What the scanner saw

Credential file access: matched "AWS_SECRET_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
21Score
0.5.0Version
Status history (1 event)
  1. newavailable · risk review · score 21 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/chunks/cli-0.5.0-7r8kk401.mjsmatched "AWS_SECRET_ACCESS_KEY"5
lowCredential file accesspackage/dist/chunks/cli-0.5.0-rjrr23sf.mjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/chunks/cli-0.5.0-y747jrqv.mjsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/chunks/cli-0.5.0-ywj7hyn5.mjsmatched ".ssh/"5
lowCredential file accesspackage/dist/chunks/index-0.5.0-sq7g6g2x.mjsmatched "aws_access_key"5
lowCredential file accesspackage/dist/chunks/index-0.5.0-ytg9xq82.mjsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts33
  • buildbun run scripts/build.ts
  • build:extensionmkdir -p dist && cd vscode-extension/claudio-vscode && bun install --frozen-lockfile && npx --yes @vscode/vsce@^3 package --out ../../dist/claudio-vscode.vsix
  • build:releasebun run build:extension && CLAUDIO_RELEASE_BUILD=1 bun run build
  • build:verifiedbun run build && bun run verify:privacy
  • devbun run build && node dist/cli.mjs
  • linkbun link
  • prepacknpm run build:release
  • profilebun run scripts/profile/run-all.ts
  • profile:code-outlinebun run scripts/profile/code-outline-bench.ts
  • profile:cold-startbun run scripts/profile/cold-start-bench.ts
  • profile:file-read-cache-saturationbun --expose-gc run scripts/profile/file-read-cache-saturation-bench.ts
  • profile:heap-snapshot-diffbun --expose-gc run scripts/profile/heap-snapshot-diff-bench.ts
  • profile:inputbun run scripts/profile/input-bench.ts
  • profile:long-sessionbun --expose-gc run scripts/profile/long-session-bench.ts
  • profile:membun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts
  • profile:mem:500bun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts --turns=500 --payload-kb=200 --payload-jitter=100 --with-compact --with-clear --compact-every=100 --clear-every=200 --inflection --output=scripts/profile/baselines/memory-turn-by-turn.json --csv=scripts/profile/baselines/memory-turn-by-turn.csv
  • profile:mem:cibun --expose-gc run scripts/profile/memory-turn-by-turn-bench.ts --turns=100 --payload-kb=50 --with-compact --with-clear --compact-every=25 --clear-every=50 --inflection --json
  • profile:memorybun run scripts/profile/memory-bench.ts
  • profile:query-engine-membun --expose-gc run scripts/profile/query-engine-mem-bench.ts
  • profile:skills-pluginbun --expose-gc run scripts/profile/skills-plugin-bench.ts
  • profile:streamingbun run scripts/profile/streaming-bench.ts --compare
  • profile:streaming-shimbun --expose-gc run scripts/profile/streaming-shim-bench.ts
  • profile:transcriptbun run scripts/profile/transcript-bench.ts --with-code
  • security:pr-scanbun run scripts/pr-intent-scan.ts
  • setupbun install && bun run build && bun link
  • smokebun run build && node dist/cli.mjs --version && node dist/cli.mjs --help >/dev/null
  • startnode dist/cli.mjs
  • testbun test
  • test:coveragebun test --coverage --coverage-reporter=lcov --coverage-dir=coverage --max-concurrency=1 && bun run scripts/render-coverage-heatmap.ts
  • test:coverage:uibun run scripts/render-coverage-heatmap.ts
  • …and 3 more.
Dependencies61
  • @alcalzone/ansi-tokenize0.3.0
  • @anthropic-ai/bedrock-sdk^0.29.1
  • @anthropic-ai/foundry-sdk0.2.3
  • @anthropic-ai/sdk^0.96.0
  • @anthropic-ai/vertex-sdk^0.16.0
  • @commander-js/extra-typings14
  • @mendable/firecrawl-js^4.23.0
  • @modelcontextprotocol/sdk1.29.0
  • ajv^8.20.0
  • auto-bind5.0.1
  • axios^1.16.1
  • bidi-js1.0.3
  • chalk5.6.2
  • chokidar5.0.0
  • cli-boxes4
  • cli-highlight2.1.11
  • code-excerpt4.0.0
  • commander14
  • cross-spawn7.0.6
  • diff9.0.0
  • duck-duck-scrape^2.2.7
  • emoji-regex10.6.0
  • env-paths4
  • execa9.6.1
  • fflate0.8.2
  • figures6.1.0
  • fuse.js^7.3.0
  • get-east-asian-width^1.6.0
  • google-auth-library9.15.1
  • https-proxy-agent9.0.0
  • …and 31 more.