Package evidence

@drewling/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 5
Versions published: 3
First published: Apr 2026
Publisher: tayoonabule

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@drewling/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@drewling/[email protected]"],"fail_on":"review"}'

Publishertayoonabule

Artifact bytes141,543

Previous version0.6.0

Published2026-05-27T22:15:57.425Z

SHA-2563ab546850ee277a8a3075e3293b38e1a3ea14c562e82eeac5ef4de842c89dd09

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

24Score

0.6.1Version

Status history (1 event)

new → available16d ago · risk review · score 24 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/openapi/twenty-core.json	matched "curl "	12
medium	Remote Payload	package/openapi/twenty-metadata.json	matched "curl "	12

Manifest

Package metadata

Scripts12

buildtsc && shx chmod 755 build/index.js
check:specnode scripts/check-spec-drift.js
devtsc --watch
fetch:specnode -e "const u=process.env.TWENTY_API_URL,k=process.env.TWENTY_API_KEY;if(!u||!k){console.error('Set TWENTY_API_URL and TWENTY_API_KEY');process.exit(1)}fetch(u.replace(/\/$/,'')+'/open-api/core',{headers:{Authorization:'Bearer '+k}}).then(r=>r.ok?r.text():Promise.reject(r.status)).then(t=>{require('fs').writeFileSync('openapi/twenty-core.json',t);console.log('Saved openapi/twenty-core.json')})"
fetch:spec:metadatanode -e "const u=process.env.TWENTY_API_URL,k=process.env.TWENTY_API_KEY;if(!u||!k){console.error('Set TWENTY_API_URL and TWENTY_API_KEY');process.exit(1)}fetch(u.replace(/\/$/,'')+'/open-api/metadata',{headers:{Authorization:'Bearer '+k}}).then(r=>r.ok?r.text():Promise.reject(r.status)).then(t=>{require('fs').writeFileSync('openapi/twenty-metadata.json',t);console.log('Saved openapi/twenty-metadata.json')})"
fetch:specsnpm run fetch:spec && npm run fetch:spec:metadata
prestartnpm run build
regenopenapi-mcp-generator --input openapi/twenty-core.json --output . --server-name twenty-mcp --server-version 0.2.0 --transport stdio --force
regen:metadatanode scripts/gen-metadata-tools.js
startnode build/index.js
testvitest run
typechecktsc --noEmit

Dependencies6

@modelcontextprotocol/sdk^1.10.0
axios^1.9.0
dotenv^16.4.5
json-schema-to-zod^2.6.1
pino^10.3.1
zod^3.24.3