Package evidence

@esankhan3/[email protected]

Remote Payload: matched "curl "

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@esankhan3/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@esankhan3/[email protected]"],"fail_on":"review"}'

Publisheresankhan3

Artifact bytes2,085,578

Previous version0.2.1

Published2026-05-25T06:33:11.598Z

SHA-256e29aacdb6a9a27d4a55f684e275581a71d39bb1a617ac889ff5664f6f1cc58d7

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

19d agoLast checked

reviewRisk

115Score

0.3.0Version

Status history (1 event)

new → available19d ago · risk review · score 115 · status changed

Evidence

Static findings

31 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/commands/doctor.js	matched "curl "	12
medium	Remote Payload	package/dist/dashboard/dist/assets/index-tpc25n-z.js	matched "curl "	12

Show all 31 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/commands/doctor.js	matched "curl "	12
medium	Remote Payload	package/dist/dashboard/dist/assets/index-tpc25n-z.js	matched "curl "	12
low	Credential file access	package/dist/dashboard/server/setup/load-env.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/dashboard/server/review-rules/security-prepass.js	matched "AWS_ACCESS_KEY"	5
low	Obfuscation	package/dist/commands/auth.js	matched "\\u0004"	3
low	Obfuscation	package/dist/git/branch-name.js	matched "\\x00"	3
low	Obfuscation	package/dist/pipeline/budget.js	matched "\\u2500"	3
low	Obfuscation	package/dist/pipeline/conventions.js	matched "\\u2717"	3
low	Obfuscation	package/dist/sandbox/deploy-output-parser.js	matched "\\x1B"	3
low	Obfuscation	package/dist/commands/diff.js	matched "\\u2717"	3
low	Obfuscation	package/dist/commands/doctor.js	matched "\\u25CB"	3
low	Obfuscation	package/dist/resilience/garbage-detector.js	matched "\\x00"	3
low	Obfuscation	package/dist/incident-stats-formatter.js	matched "\\u001b"	3
low	Obfuscation	package/dist/dashboard/server/incident-webhooks.js	matched "Buffer.from(s, 'base64"	3
low	Obfuscation	package/dist/dashboard/dist/assets/index-tpc25n-z.js	matched "\\u00C0"	3
low	Obfuscation	package/dist/dashboard/server/pipeline/json-extract.js	matched "\\u201C"	3
low	Obfuscation	package/dist/dashboard/server/pipeline-approval-tokens.js	matched "Buffer.from(input, 'base64"	3
low	Obfuscation	package/dist/dashboard/server/plan-share.js	matched "Buffer.from(input, 'base64"	3
low	Obfuscation	package/dist/commands/replay.js	matched "\\u2713"	3
low	Obfuscation	package/dist/dashboard/server/review-dismissal-store.js	matched "\\u0001"	3
low	Obfuscation	package/dist/commands/runs.js	matched "\\x1b"	3
low	Obfuscation	package/dist/dashboard/server/review-rules/security-prepass.js	matched "eval("	3
low	Obfuscation	package/dist/dashboard/server/browser/session-manager.js	matched "\\u241F"	3
low	Obfuscation	package/dist/commands/setup.js	matched "\\u2713"	3
low	Obfuscation	package/dist/analytics/stats-formatter.js	matched "\\u2581"	3
low	Obfuscation	package/dist/ui/summary.js	matched "\\x1B"	3
low	Obfuscation	package/dist/dashboard/server/test-share.js	matched "Buffer.from(input, 'base64"	3
low	Obfuscation	package/dist/commands/tui.js	matched "\\x1B"	3
low	Obfuscation	package/dist/commands/validate.js	matched "\\u2713"	3
low	Obfuscation	package/dist/dashboard/server/tools/web-fetch.js	matched "\\u241F"	3
low	Obfuscation	package/dist/dashboard/server/tools/web-tool-bridge.js	matched "\\u241F"	3

Manifest

Package metadata

Scripts3

buildnpm --prefix ../dashboard run build && tsc -b && node ./scripts/bundle-dashboard.mjs && (mkdir -p dist/templates && cp src/templates/*.yaml dist/templates/ 2>/dev/null || true) && (mkdir -p dist/personas/prompts && cp src/personas/prompts/*.md dist/personas/prompts/ 2>/dev/null || true)
devtsc -b --watch
testecho 'cli has no per-workspace node:test files (knowledge tests moved to @anvil/knowledge-core; hooks integration test runs via root jest)'

Dependencies17

@esankhan3/anvil-agent-core^0.3.0
@esankhan3/anvil-convention-core^0.3.0
@esankhan3/anvil-core-pipeline^0.3.0
@esankhan3/anvil-knowledge-core^0.3.0
@esankhan3/anvil-memory-core^0.3.0
commander^13.1.0
lucide-react1.8.0
picocolors^1.1.1
react^19.1.0
react-dom^19.1.0
react-force-graph-2d1.29.1
socket.io^4.8.3
socket.io-client^4.8.3
ts-pattern^5.9.0
ws^8.18.0
yaml^2.7.1
zod^3.25.76