Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@dingtalk-real-ai/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@dingtalk-real-ai/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".SSH"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 69 · status changed
Related candidates
Linked campaigns and clusters
hotspring.myw26
2 members · evidence strength 57Evidence
Static findings
8 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/bin/dingtalk-connector.js | matched ".SSH" | 30 |
| medium | Remote Payload | package/bin/dingtalk-connector.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/src/utils/utils-legacy.ts | matched "curl " | 12 |
Show all 8 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/bin/dingtalk-connector.js | matched ".SSH" | 30 |
| medium | Remote Payload | package/bin/dingtalk-connector.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/src/utils/utils-legacy.ts | matched "curl " | 12 |
| low | Obfuscation | package/bin/dingtalk-connector.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/message-handler-0NLKAqHU.mjs | matched "\\u3000" | 3 |
| low | Obfuscation | package/dist/messaging-C2zJ8O-o.mjs | matched "\\u4e00" | 3 |
| low | Obfuscation | package/src/services/messaging/mentions.ts | matched "\\u4e00" | 3 |
| low | Obfuscation | package/src/core/message-handler.ts | matched "\\u3000" | 3 |
Manifest
Package metadata
Scripts22
buildtsdowncleanrm -rf node_modules package-lock.jsondevecho 'Run: openclaw start'install:freshnpm run clean && npm installlintecho 'Lint check skipped'lint:fixecho 'Lint fix skipped'postpacknode -e "const fs=require('fs'),p=JSON.parse(fs.readFileSync('package.json','utf8'));if(p._devDependencies){p.devDependencies=p._devDependencies;delete p._devDependencies;fs.writeFileSync('package.json',JSON.stringify(p,null,2)+'\n')}"prepacknode -e "const fs=require('fs'),p=JSON.parse(fs.readFileSync('package.json','utf8'));p._devDependencies=p.devDependencies;delete p.devDependencies;fs.writeFileSync('package.json',JSON.stringify(p,null,2)+'\n')"prepublishOnlynpm run buildrelease:prepareecho 'Release prepare skipped'release:publishnpm publish --access publicrelease:verifynpm view @dingtalk-real-ai/dingtalk-connector versiontestvitest run tests/gateway-methods.unit.test.tstest:allvitest runtest:coveragevitest run --coverage --exclude tests/gateway-methods.test.tstest:integrationvitest run tests/gateway-methods.unit.test.tstest:uivitest --uitest:unitvitest run tests/gateway-methods.unit.test.tstest:watchvitest watchtype-checknpx tsc --noEmitvalidatenpm run lint && npm run type-check && npm run version:checkversion:checkecho 'Version check skipped'
Dependencies5
axios1.14.0dingtalk-stream2.1.4form-data4.0.0qrcode-terminal0.12.0zod4.3.6
Optional dependencies1
mammoth^1.8.0