Package evidence
@elizaos/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 6 dependency(ies) (1 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- Jan 2026
- Publisher
- shawticus
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@elizaos/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@elizaos/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 6 dependency(ies) (1 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 6 dependency(ies) (1 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Manifest
Package metadata
Scripts23
buildnpm run build:prompts && bun run build:ts && bun run build:rust && bun run build:pythonbuild:promptsnode ../../packages/prompts/scripts/generate-plugin-prompts.js ./prompts ./typescript/generated/prompts --target allbuild:pythontest -d python && cd python && (python3 -m build 2>/dev/null || pyproject-build) || echo 'Python build skipped - no python directory'build:rusttest -d rust && cd rust && cargo build --release || echo 'Rust build skipped - no rust directory'build:rust:wasmcd rust && wasm-pack build --target web --out-dir pkg/webbuild:tscd typescript && bun run build.tscleanrm -rf dist .turbo node_modules .turbo-tsconfig.json *.tsbuildinfodevcd typescript && bun run build.ts --watchformatbunx @biomejs/biome format --write ./typescriptformat:checkbunx @biomejs/biome format ./typescriptlintbunx @biomejs/biome check --write ./typescriptlint:checkbunx @biomejs/biome check ./typescriptlint:pythoncd python && ruff check --fix . && ruff format .lint:python:fixcd python && ruff check --fix . && ruff format .lint:rustcd rust && cargo clippy --all-targets --fix --allow-dirty --allow-staged -- -D warnings && cargo fmttestbun run test:ts && bun run test:rust && bun run test:pythontest:integrationvitest run typescript/__tests__/integration/test:pythontest -d python && cd python && pytest -p no:anchorpy --asyncio-mode=autotest:rusttest -d rust && cd rust && cargo test --lockedtest:tsvitest run typescript/test:unitvitest run typescript/__tests__/unit/typechecktsc --noEmit -p typescript/tsconfig.json || truetypecheck:pythoncd python && python3 -m mypy elizaos_plugin_polymarket
Dependencies6
@elizaos/core2.0.0-alpha.1@elizaos/plugin-evmworkspace:*@polymarket/clob-client^5.2.0viem^2.21.0ws^8.17.0zod^4.3.5