PkgRadar

Package evidence

@eggai/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
9
First published
Nov 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@eggai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@eggai/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes249,590
Previous version0.2.4
Published2026-06-08T13:11:28.115Z
SHA-256770d31fab9d9318c7b24a16ac5611e2ad6ae4cf73c7c8504c2ef440270edc4fc

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
0.2.5Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/ai/providers/bedrock.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/config/env.jsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts30
  • buildtsc -p tsconfig.lib.json && tsc-alias -p tsconfig.lib.json && cp -r src/config/prompts dist/config/prompts && cp -r src/config/agents dist/config/agents
  • build:checktsc -p tsconfig.lib.json --noEmit
  • devtsx --env-file=.env src/cli.ts
  • eval:crb:check-stalenessnpx tsx --tsconfig evals/tsconfig.json evals/scripts/check-crb-staleness.ts
  • eval:recall-reportnpx tsx evals/src/recall-report.ts
  • eval:run:crb:allnpx tsx evals/src/run-eval.ts --source=crb --mode=agentic
  • eval:run:crb:calcomnpx tsx evals/src/run-eval.ts --dataset=qualops/crb-cal_dot_com --mode=agentic
  • eval:run:crb:criticalnpx tsx evals/src/run-eval.ts --source=crb --severity=critical --mode=agentic
  • eval:run:crb:discoursenpx tsx evals/src/run-eval.ts --dataset=qualops/crb-discourse --mode=agentic
  • eval:run:crb:grafananpx tsx evals/src/run-eval.ts --dataset=qualops/crb-grafana --mode=agentic
  • eval:run:crb:keycloaknpx tsx evals/src/run-eval.ts --dataset=qualops/crb-keycloak --mode=agentic
  • eval:run:crb:sentrynpx tsx evals/src/run-eval.ts --dataset=qualops/crb-sentry --mode=agentic
  • eval:run:qualopsnpx tsx evals/src/run-eval.ts --dataset=qualops/qualops
  • eval:upload:allnpx tsx evals/src/upload-datasets.ts --source=all
  • eval:upload:crb:allnpx tsx evals/src/upload-datasets.ts --source=crb
  • eval:upload:qualopsnpx tsx evals/src/upload-datasets.ts --source=qualops
  • generate:schemats-node --transpile-only --project tsconfig.lib.json scripts/generate-config-schema.ts
  • linteslint src tests
  • lint:fixnpm run lint -- --fix
  • qualopsnpx tsx --env-file=.env src/cli.ts
  • qualops:allnpx tsx --env-file=.env src/cli.ts all
  • qualops:analyzenpx tsx --env-file=.env src/cli.ts analyze
  • qualops:fixnpx tsx --env-file=.env src/cli.ts fix
  • qualops:judgenpx tsx --env-file=.env src/cli.ts judge
  • qualops:reportnpx tsx --env-file=.env src/cli.ts report
  • qualops:reviewnpx tsx --env-file=.env src/cli.ts review
  • testLC_ALL=en_US jest
  • test:evalsjest --config evals/jest.config.ts
  • test:integrationjest --config jest.integration.config.js
  • test:smokejest --config jest.smoke.config.ts
Dependencies18
  • @anthropic-ai/claude-agent-sdk0.3.162
  • @anthropic-ai/sdk^0.100.1
  • @aws-sdk/client-bedrock-runtime^3.1008.0
  • @langfuse/otel^5.1.0
  • @octokit/rest^22.0.1
  • @octokit/webhooks-types^7.6.1
  • @openai/agents^0.11.4
  • @opentelemetry/api^1.9.1
  • @opentelemetry/exporter-trace-otlp-http^0.218.0
  • @opentelemetry/sdk-node^0.218.0
  • @opentelemetry/sdk-trace-base^2.6.1
  • @types/commander2.12.5
  • commander^15.0.0
  • diff^9.0.0
  • dotenv^17.3.1
  • glob^13.0.6
  • openai^6.27.0
  • zod^4.3.6
Optional dependencies2
  • @anthropic-ai/claude-agent-sdk-linux-arm640.3.162
  • @anthropic-ai/claude-agent-sdk-linux-x640.3.150