Package evidence
@entelligentsia/[email protected]
Remote Payload: matched "raw.githubusercontent.com"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,023Niche · −30% score
- Versions published
- 22
- First published
- May 2026
- Publisher
- entelligentsia
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@entelligentsia/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@entelligentsia/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 190 · status changed
Evidence
Static findings
233 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/forge-payload/hooks/check-update.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/node_modules/@earendil-works/pi-coding-agent/dist/core/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/lua.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/moonscript.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/powershell.js | matched "curl " | 12 |
| medium | Remote Payload | package/node_modules/ws/lib/websocket.js | matched "cUrl " | 12 |
Show all 233 findings (low-signal and informational)
Showing 60 of 233 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/forge-payload/hooks/check-update.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/node_modules/@earendil-works/pi-coding-agent/dist/core/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/lua.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/moonscript.js | matched "wget " | 12 |
| medium | Remote Payload | package/node_modules/highlight.js/lib/languages/powershell.js | matched "curl " | 12 |
| medium | Remote Payload | package/node_modules/ws/lib/websocket.js | matched "cUrl " | 12 |
| low | Credential file access | package/node_modules/@earendil-works/pi-coding-agent/dist/cli/args.js | matched ".azure" | 5 |
| low | Credential file access | package/node_modules/@earendil-works/pi-ai/dist/providers/azure-openai-responses.js | matched ".azure" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/nested-clients/dist-es/submodules/signin/endpoint/bdd.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/google-auth-library/build/src/auth/defaultawssecuritycredentialssupplier.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/client-bedrock-runtime/dist-es/models/enums.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@earendil-works/pi-ai/dist/env-api-keys.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getConfigFilepath.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getCredentialsFilepath.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/credential-provider-imds/dist-es/utils/getExtendedInstanceMetadataCredentials.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getSSOTokenFilepath.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/google-auth-library/build/src/auth/googleauth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.browser.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-login/dist-cjs/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/nested-clients/dist-cjs/submodules/signin/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/core/dist-cjs/submodules/config/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/credential-provider-imds/dist-cjs/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/node-http-handler/dist-cjs/index.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.native.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-login/dist-es/LoginCredentialsFetcher.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@smithy/node-http-handler/dist-es/node-http-handler.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/core/dist-es/submodules/client/util-endpoints/lib/aws/partitions.js | matched ".aws" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-sso/dist-es/validateSsoProfile.js | matched ".aws" | 5 |
| low | Obfuscation | package/dist/forge-payload/tools/banners.cjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/forge-payload/tools/build-init-context.cjs | matched "\\u25CB" | 3 |
| low | Obfuscation | package/node_modules/fast-xml-builder/lib/fxb.cjs | matched "\\x3c" | 3 |
| low | Obfuscation | package/node_modules/fast-xml-parser/lib/fxp.cjs | matched "\\u00C0" | 3 |
| low | Obfuscation | package/node_modules/@google/genai/dist/index.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/@google/genai/dist/node/index.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/jiti/dist/jiti.cjs | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/marked/lib/marked.cjs | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/@google/genai/dist/tokenizer/node.cjs | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/zod/v4/core/schemas.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/dist/forge-payload/tools/store-cli.cjs | matched "\\u003c" | 3 |
| low | Obfuscation | package/node_modules/zod/v3/types.cjs | matched "\\u00A0" | 3 |
| low | Obfuscation | package/node_modules/zod/v4/core/util.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/@earendil-works/pi-ai/dist/providers/amazon-bedrock.js | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/@earendil-works/pi-coding-agent/dist/core/export-html/ansi-to-html.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/node_modules/@earendil-works/pi-coding-agent/dist/utils/ansi.js | matched "\\u0007" | 3 |
| low | Obfuscation | package/node_modules/@earendil-works/pi-ai/dist/utils/oauth/anthropic.js | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/highlight.js/lib/languages/arduino.js | matched "\\xFF" | 3 |
| low | Obfuscation | package/node_modules/argparse/argparse.js | matched "\\x1c" | 3 |
| low | Obfuscation | package/node_modules/@earendil-works/pi-coding-agent/dist/modes/interactive/components/assistant-message.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/node_modules/@anthropic-ai/sdk/internal/utils/base64.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/@mistralai/mistralai/esm/lib/base64.js | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/openai/internal/utils/base64.js | matched "fromCharCode" | 3 |
Manifest
Package metadata
Scripts12
buildnode scripts/build-payload.cjs && tscbuild:tsc-onlytscdead-codekniplintbiome check src testlint:no-skipnode tools/check-no-skipped-tests.cjspostpacknode scripts/prepack-fix-bundled.cjs --restoreprepacknode scripts/prepack-fix-bundled.cjssmoke:tmpbash test/e2e/tmp-smoke.shsync-forgenode scripts/sync-forge.cjstestvitest runtest:e2ebash test/e2e/smoke.shtypechecktsc --noEmit
Dependencies8
@earendil-works/pi-agent-corefile:./vendor-pi/earendil-works-pi-agent-core-0.75.4.tgz@earendil-works/pi-aifile:./vendor-pi/earendil-works-pi-ai-0.75.4.tgz@earendil-works/pi-coding-agentfile:./vendor-pi/earendil-works-pi-coding-agent-0.75.4-forge.1.tgz@earendil-works/pi-tuifile:./vendor-pi/earendil-works-pi-tui-0.75.4.tgzajv^8.20.0js-yaml^4.1.0lunr2.3.9typebox^1.1.24