Package evidence
@evalops/[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,848Niche · −30% score
- Versions published
- 36
- First published
- Apr 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@evalops/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@evalops/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 45 · status changed
Evidence
Static findings
15 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/safety/credential-patterns.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/memory/team-memory-secret-scan.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Credential file access | package/dist/oauth/command-key.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node -e \"const fs=require('node:fs');const cp=require('node:child_process');if(!fs.existsSync('./scripts/ensure-deps.js')||!fs.existsSync('./packages/contracts/package.json'))process.exit(0);const r=cp.spawnSync(process.execPath,['./scripts/ensure-deps.js','--no-install'],{stdio:'inherit'});process.exit(r.status??1);\"" | 30 |
| medium | Credential file access | package/dist/agent/providers/google.js | matched "AWS_ACCESS_KEY" | 10 |
Show all 15 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/safety/credential-patterns.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/memory/team-memory-secret-scan.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Credential file access | package/dist/oauth/command-key.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node -e \"const fs=require('node:fs');const cp=require('node:child_process');if(!fs.existsSync('./scripts/ensure-deps.js')||!fs.existsSync('./packages/contracts/package.json'))process.exit(0);const r=cp.spawnSync(process.execPath,['./scripts/ensure-deps.js','--no-install'],{stdio:'inherit'});process.exit(r.status??1);\"" | 30 |
| medium | Credential file access | package/dist/agent/providers/google.js | matched "AWS_ACCESS_KEY" | 10 |
| low | Credential file access | package/dist/providers/api-keys.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/providers/aws-auth.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/commands/config.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/cli-tui/commands/subcommands/diag-commands.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/agent/providers/google-gemini-cli.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/node_modules/@evalops/contracts/dist/guarded-files-settings.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/security/pii-detector.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/agent/providers/vertex.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node -e \"const fs=require('node:fs');const cp=require('node:child_process');if(!fs.existsSync('./scripts/ensure-deps.js')||!fs.existsSync('./packages/contracts/package.json'))process.exit(0);const r=cp.spawnSync(process.execPath,['./scripts/ensure-deps.js','--no-install'],{stdio:'inherit'});process.exit(r.status??1);\"" | 5 |
| low | Large Javascript Payload | package/dist/cli.js | 7227010 bytes | 0 |
Manifest
Package metadata
Scripts149
a2atsx src/cli.ts a2aa2a:codex-bridgepython3 scripts/codex-a2a-bridge.pya2a:peertsx src/cli.ts a2abuildnode ./scripts/ensure-dir.js ./tmp/tsbuildinfo && tsc -b tsconfig.build.json --force && bun build ./src/cli.ts --target node --packages external --external tree-sitter --external tree-sitter-bash --outfile dist/cli.js && node ./scripts/bundle-runtime-deps.mjs && node ./scripts/copy-themes.js && node ./scripts/copy-db-migrations.jsbuild:allbun run --filter @evalops/contracts build && bun run --filter @evalops/consumer build && bun run --filter @evalops/tui build && bun run --filter @evalops/maestro-web build && bun run build && bun run --filter @evalops/ai buildbun:checkbun run bun:lint && bunx tsc -p tsconfig.build.json --noEmitbun:clibun run ./src/cli.tsbun:compilenpm run build && bun build ./dist/cli.js --compile --external tree-sitter --external tree-sitter-bash --outfile dist/maestro-bunbun:compile:bytecodenpm run build && bun build ./dist/cli.js --compile --bytecode --external tree-sitter --external tree-sitter-bash --outfile dist/maestro-bun-bytecodebun:evalsbun run build && bun run ./scripts/run-evals.jsbun:installbun installbun:lintbunx biome check . && bun run lint:evalsbun:testnode ./scripts/run-vitest.js --runbun:test:fastVITEST_FAST=1 node ./scripts/run-vitest.js --runbun:watchbun run --watch ./src/cli.tschecknpm run lint && npm run check --workspaces --if-present && tsc -p tsconfig.build.json --noEmitcheck:agent-trajectory-fixturestsx scripts/check-agent-trajectory-fixtures.tscheck:agent-trajectory-inspection-fixturestsx scripts/check-agent-trajectory-inspection-fixtures.tscheck:agent-trajectory-replay-fixturestsx scripts/check-agent-trajectory-replay-fixtures.tscheck:agent-trajectory-scenario-fixturestsx scripts/check-agent-trajectory-scenario-fixtures.tscheck:agent-trajectory-score-fixturestsx scripts/check-agent-trajectory-score-fixtures.tscheck:app-server-schematsx scripts/app-server-schema-codegen.ts --checkcheck:cli-runtime-conformancetsx scripts/check-cli-runtime-conformance.tscheck:codex-operating-layernode scripts/check-codex-operating-layer-conformance.mjscheck:codex-paritynode scripts/check-codex-parity-conformance.mjscheck:context-manifesttsx scripts/check-context-manifest-contract.tscheck:drift-surfacesnode scripts/check-drift-prone-surfaces.mjscheck:evidence-integritytsx scripts/check-evidence-integrity.tscheck:headless-proto:generatednode scripts/check-headless-proto-generated.mjscheck:maestro-release-gate-eventstsx scripts/check-maestro-release-gate-events.ts- …and 119 more.
Dependencies49
@aws-sdk/client-bedrock-runtime^3.1020.0@bufbuild/protobuf^2.11.0@crosscopy/clipboard^0.2.8@modelcontextprotocol/sdk^1.29.0@openai/codex^0.135.0@opentelemetry/api^1.9.1@opentelemetry/auto-instrumentations-node^0.76.0@opentelemetry/resources^2.7.1@opentelemetry/sdk-node0.218.0@opentelemetry/semantic-conventions^1.41.1@sentry/node^10.53.1@sinclair/typebox^0.34.49ajv^8.18.0ajv-formats^3.0.1bcrypt^6.0.0chalk^5.6.2clipboardy^4.0.0diff^8.0.4dotenv^16.6.1drizzle-orm0.45.2exceljs^4.4.0fflate^0.8.2glob^13.0.6ioredis^5.10.1jiti^2.6.1jose^6.2.2js-yaml^4.1.1jsonc-parser^3.3.1jsonwebtoken^9.0.3jszip^3.10.1- …and 19 more.
Optional dependencies3
sharp0.34.5tree-sitter^0.25.0tree-sitter-bash^0.25.1