PkgRadar

Package evidence

@f5xc-salesdemos/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
7,674Niche · −30% score
Versions published
282
First published
Apr 2026
Publisher
robinmordasiewicz

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@f5xc-salesdemos/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@f5xc-salesdemos/[email protected]"],"fail_on":"review"}'
Publisherrobinmordasiewicz
Artifact bytes4,626,144
Previous version19.29.1
Published2026-06-13T05:18:15.961Z
SHA-256b93d8000980e3817950947a5c26ed0353ce661f897478183b72588cc7f6c1060

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
19.29.2Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/cli/args.tsmatched "AWS_ACCESS_KEY"5
lowObfuscation Densitypackage/src/modes/components/welcome.tshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts15
  • buildbun run generate-build-info && bun run generate-api-spec-index && bun run generate-branding-index && bun run generate-terraform-index && test -f src/internal-urls/api-spec-index.generated.ts && bun --cwd=../stats scripts/generate-client-bundle.ts --generate && bun --cwd=../natives run embed:native && bun build --compile --define PI_COMPILED=true --external mupdf --root ../.. ./src/cli.ts --outfile dist/xcsh && bun --cwd=../natives run embed:native --reset && bun --cwd=../stats scripts/generate-client-bundle.ts --reset
  • checkbiome check . && bun run format-prompts -- --check && bun run check:types
  • check:typesbun run generate-build-info && bun run generate-api-spec-index && bun run generate-branding-index && bun run generate-terraform-index && tsgo -p tsconfig.json --noEmit
  • fixbiome check --write --unsafe . && bun run format-prompts && bun run generate-docs-index && bun run generate-api-spec-index && bun run generate-build-info
  • fmtbiome format --write . && bun run format-prompts
  • format-promptsbun scripts/format-prompts.ts
  • generate-api-spec-indexbun scripts/generate-api-spec-index.ts
  • generate-branding-indexbun scripts/generate-branding-index.ts
  • generate-build-infobun scripts/generate-build-info.ts
  • generate-docs-indexbun scripts/generate-docs-index.ts
  • generate-templatebun scripts/generate-template.ts
  • generate-terraform-indexbun scripts/generate-terraform-index.ts
  • lintbiome lint .
  • prepackbun scripts/generate-docs-index.ts && bun scripts/generate-api-spec-index.ts && bun scripts/generate-build-info.ts && bun scripts/generate-terraform-index.ts
  • testbun run generate-build-info && bun run generate-api-spec-index && bun test --max-concurrency 4
Dependencies20
  • @agentclientprotocol/sdk0.16.1
  • @f5xc-salesdemos/pi-agent-core19.29.2
  • @f5xc-salesdemos/pi-ai19.29.2
  • @f5xc-salesdemos/pi-natives19.29.2
  • @f5xc-salesdemos/pi-tui19.29.2
  • @f5xc-salesdemos/pi-utils19.29.2
  • @f5xc-salesdemos/xcsh-stats19.29.2
  • @mozilla/readability^0.6
  • @sinclair/typebox^0.34
  • @xterm/headless^6.0
  • ajv^8.20
  • chalk^5.6
  • diff^8.0
  • fflate0.8.2
  • handlebars^4.7
  • linkedom^0.18
  • lru-cache11.3.1
  • markit-ai0.5.0
  • puppeteer^24.37
  • zod4.3.6