Package evidence

@desplega.ai/[email protected]

Remote Payload: matched "api.github.com/graphql"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,160Niche · −30% score
Versions published: 109
First published: Dec 2025
Publisher: tarasyarema

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@desplega.ai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@desplega.ai/[email protected]"],"fail_on":"review"}'

Publishertarasyarema

Artifact bytes2,193,810

Previous version1.92.2

Published2026-06-10T08:08:20.628Z

SHA-256a7d08176f6cff17e9e1c64180c08dde1d3ff5144518c01a11ab2ed9418dec722

Why flagged

What the scanner saw

Remote Payload: matched "api.github.com/graphql"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

3d agoLast checked

reviewRisk

40Score

1.93.0Version

Status history (1 event)

new → available3d ago · risk review · score 40 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/src/github/reactions.ts	matched "api.github.com/graphql"	12
medium	Remote Payload	package/src/tools/skills/skill-install-remote.ts	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/src/tools/skills/skill-sync-remote.ts	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/src/http/skills.ts	matched "raw.githubusercontent.com"	12

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/src/github/reactions.ts	matched "api.github.com/graphql"	12
medium	Remote Payload	package/src/tools/skills/skill-install-remote.ts	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/src/tools/skills/skill-sync-remote.ts	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/src/http/skills.ts	matched "raw.githubusercontent.com"	12
low	Credential file access	package/src/providers/pi-mono-adapter.ts	matched ".aws/"	5
low	Credential file access	package/src/utils/secret-scrubber.ts	matched "aws_access_key"	5

Manifest

Package metadata

Scripts50

build:binarybun build ./src/cli.tsx --compile --compile-exec-argv='--expose-gc' --target=bun-linux-x64 --outfile ./dist/agent-swarm
build:binary:arm64bun build ./src/cli.tsx --compile --compile-exec-argv='--expose-gc' --target=bun-linux-arm64 --outfile ./dist/agent-swarm
build:pi-skillsbun run plugin/build-pi-skills.ts
check-chart-versionbun scripts/sync-chart-version.ts --check-if-package-version-changed
check:api-key-boundarybash scripts/check-api-key-boundary.sh
check:audit-columnsbash scripts/check-audit-columns.sh
check:db-boundarybash scripts/check-db-boundary.sh
claudebun src/cli.tsx claude
claude:headlessbun src/cli.tsx claude --headless
clibun src/cli.tsx
deploy:dockerbun deploy/docker-push.ts
deploy:installbun deploy/install.ts
deploy:uninstallbun deploy/uninstall.ts
deploy:updatebun deploy/update.ts
devbun --hot src/stdio.ts
dev:httpportless api.swarm bun --hot src/http.ts
docker:build:workerdocker build -f Dockerfile.worker -t agent-swarm-worker:latest .
docker:run:leaddocker run --rm -it --env-file .env.docker-lead -e AGENT_ROLE=lead -p 3201:3000 -v ./logs:/logs -v ./work/shared:/workspace/shared -v ./work/lead:/workspace/personal agent-swarm-worker:latest
docker:run:workerdocker run --rm -it --env-file .env.docker -p 3202:3000 -v ./logs:/logs -v ./work/shared:/workspace/shared -v ./work/worker-1:/workspace/personal agent-swarm-worker:latest
docs:business-usebun scripts/generate-business-use-docs.ts
docs:mcpbun scripts/generate-mcp-docs.ts
docs:openapibun scripts/generate-openapi.ts
e2e:otel:jaegerbun scripts/e2e-otel-jaeger.ts
e2e:workflowsbun scripts/e2e-workflow-test.ts
e2e:workflows:dockerbun scripts/e2e-workflow-test.ts --with-docker
formatbiome format --write src
hookbun src/hooks/hook.ts
inspectorbunx @modelcontextprotocol/inspector --transport stdio bun src/stdio.ts
inspector:httpbunx @modelcontextprotocol/inspector --transport http https://api.swarm.localhost:1355/mcp
leadbun src/cli.tsx lead
…and 20 more.

Dependencies39

@ai-sdk/openai^3.0.41
@anthropic-ai/sdk^0.93.0
@asteasolutions/zod-to-openapi^8.0.0
@desplega.ai/business-use^0.4.2
@desplega.ai/localtunnel^2.2.0
@earendil-works/pi-agent-core^0.79.1
@earendil-works/pi-ai^0.79.1
@earendil-works/pi-coding-agent^0.79.1
@inkjs/ui^2.0.0
@linear/sdk^77.0.0
@modelcontextprotocol/sdk^1.25.1
@openai/codex-sdk^0.139.0
@opencode-ai/sdk^1.16.2
@openfort/openfort-node^0.9.1
@opentelemetry/api^1.9.1
@opentelemetry/exporter-trace-otlp-http^0.218.0
@opentelemetry/resources^2.7.1
@opentelemetry/sdk-node^0.218.0
@opentelemetry/semantic-conventions^1.41.1
@slack/bolt^4.6.0
@types/react^19.2.7
@x402/core^2.5.0
@x402/evm^2.5.0
@x402/fetch^2.5.0
ai^6.0.116
cron-parser^5.4.0
date-fns^4.1.0
e2b2.26.0
hono^4.12.3
ink^6.5.1
…and 9 more.