Package evidence

@exaudeus/[email protected]

Install Lifecycle Remote Or Exec: preinstall="node -e \"const v=parseInt(process.versions.node.split('.')[0],10); if(v<20){console.error('WorkRail requires Node.js >=20. Current: '+process.versions.node+'\\nPlease upgrade: https://nodejs.org/'); process.exit(1);}\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,468Niche · −30% score
Versions published: 331Established · −30% score
First published: Jul 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@exaudeus/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@exaudeus/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes3,307,336

Previous version3.116.0

Published2026-06-01T03:08:19.793Z

SHA-256af94583b4189ed9557fd57f3961a1c56774734bd99f244cb3479896d7af0b48d

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

12d agoLast checked

reviewRisk

24Score

3.117.0Version

Status history (1 event)

new → available12d ago · risk review · score 24 · status changed

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	preinstall="node -e \"const v=parseInt(process.versions.node.split('.')[0],10); if(v<20){console.error('WorkRail requires Node.js >=20. Current: '+process.versions.node+'\\nPlease upgrade: https://nodejs.org/'); process.exit(1);}\""	30

Show all 11 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	preinstall="node -e \"const v=parseInt(process.versions.node.split('.')[0],10); if(v<20){console.error('WorkRail requires Node.js >=20. Current: '+process.versions.node+'\\nPlease upgrade: https://nodejs.org/'); process.exit(1);}\""	30
low	Credential file access	package/dist/daemon/core/agent-client.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/cli-worktrain.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/cli.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/v2/usecases/console-routes.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/daemon/runner/pre-agent-session.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/trigger/trigger-listener.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/cli/commands/worktrain-daemon-install.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/cli/commands/worktrain-daemon.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/cli/commands/worktrain-init.js	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	preinstall="node -e \"const v=parseInt(process.versions.node.split('.')[0],10); if(v<20){console.error('WorkRail requires Node.js >=20. Current: '+process.versions.node+'\\nPlease upgrade: https://nodejs.org/'); process.exit(1);}\""	5

Manifest

Package metadata

Scripts60

backlognpx ts-node --project scripts/tsconfig.json scripts/backlog-priority.ts
benchmark-token-sizenode scripts/benchmark-token-size.ts
buildnode -e "require('fs').rmSync('dist',{recursive:true,force:true});" && tsc -p tsconfig.build.json && npm run console:build && node -e "require('fs').chmodSync('dist/mcp-server.js',0o755); require('fs').chmodSync('dist/cli-worktrain.js',0o755); require('fs').chmodSync('dist/cli-workrail.js',0o755);"
build:allnpm run build
check-keyringnode scripts/check-keyring.ts
codemod:guardnpx ts-node scripts/codemods/run.ts --mod guard --tsconfig tsconfig.test.json
codemod:reportnpx ts-node scripts/codemods/run.ts --mod report --tsconfig tsconfig.test.json
codemod:test-platform-guardnpx ts-node scripts/codemods/run.ts --mod test-platform-guard --tsconfig tsconfig.test.json
codemod:token-callsnpx ts-node scripts/codemods/run.ts --mod token-calls --tsconfig tsconfig.test.json --write
codemod:token-calls:drynpx ts-node scripts/codemods/run.ts --mod token-calls --tsconfig tsconfig.test.json
codemod:v2-contextsnpx ts-node scripts/codemods/run.ts --mod v2-contexts --tsconfig tsconfig.test.json --write
codemod:v2-contexts:drynpx ts-node scripts/codemods/run.ts --mod v2-contexts --tsconfig tsconfig.test.json
codemod:v2-prunenpx ts-node scripts/codemods/run.ts --mod v2-prune --tsconfig tsconfig.test.json --write
codemod:v2-prune:drynpx ts-node scripts/codemods/run.ts --mod v2-prune --tsconfig tsconfig.test.json
console:buildcd console && npm install && npm run build
console:devcd console && npm run dev
decode-tokennode scripts/decode-token.ts
devnpm run build && node dist/mcp-server.js
dev:daemonWORKRAIL_TRIGGERS_ENABLED=true WORKRAIL_DATA_DIR=$HOME/.workrail/dev WORKRAIL_DEFAULT_WORKSPACE=$(pwd) node dist/cli-worktrain.js daemon
dev:mcppkill -f "$(pwd)/dist/mcp-server.js" 2>/dev/null; sleep 0.5; WORKRAIL_TRANSPORT=http WORKRAIL_ENABLE_SESSION_TOOLS=true node dist/mcp-server.js
dev:mcp:watchpkill -f "$(pwd)/dist/mcp-server.js" 2>/dev/null; sleep 0.5; WORKRAIL_TRANSPORT=http WORKRAIL_ENABLE_SESSION_TOOLS=true nodemon --watch dist --ext js --delay 2 --exec 'node dist/mcp-server.js'
dev:watch-hangsbash scripts/watch-rg-hangs.sh
diff-tokensnode scripts/diff-tokens.ts
docs:authoringnode scripts/generate-authoring-docs.js
docs:workflowsnode scripts/generate-workflow-docs.js
e2eplaywright test
e2e:installplaywright install
e2e:uiplaywright test --ui
generate-golden-tokensnode scripts/generate-golden-tokens.ts
generate:locksnpx ts-node scripts/generate-lock-coverage.ts && npx ts-node scripts/generate-lock-coverage.ts --json
…and 30 more.

Dependencies19

@anthropic-ai/bedrock-sdk^0.29.0
@anthropic-ai/sdk^0.98.0
@modelcontextprotocol/sdk^1.24.0
@scure/base2.2.0
ajv^8.17.1
chalk^5.3.0
commander^14.0.0
cors^2.8.5
dotenv^17.2.0
express^5.1.0
neverthrow^8.2.0
open^11.0.0
reflect-metadata^0.2.0
semver^7.7.2
tinyglobby^0.2.15
tsconfig-paths^4.2.0
tslib^2.8.1
tsyringe^4.8.0
zod^3.22.4