PkgRadar

Package evidence

@futdevpro/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
8,269Niche · −30% score
Versions published
514
First published
Mar 2026
Publisher
itharen

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@futdevpro/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@futdevpro/[email protected]"],"fail_on":"review"}'
Publisheritharen
Artifact bytes15,397,294
Previous version1.1.4601
Published2026-05-26T07:30:46.492Z
SHA-25618328a256d184b6b5ea94f974cb011c4efd1149dc33a1d322bddb0af3e222bcc

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
28Score
1.1.4618Version
Status history (1 event)
  1. newavailable · risk review · score 28 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/client-dist/embedding-registry.module-7J4YIKYG.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/client-dist/scheduler.module-WAVGT4HN.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/client-dist/wfs.module-DKZBR6B3.jshigh encoded/escaped-token density12
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/client-dist/embedding-registry.module-7J4YIKYG.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/client-dist/scheduler.module-WAVGT4HN.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/client-dist/wfs.module-DKZBR6B3.jshigh encoded/escaped-token density12
lowInstall-time lifecycle scriptpackage.jsonpostinstall="npm run rebuild-robotjs"5

Manifest

Package metadata

Scripts33
  • buildcd server && pnpm run build-base ; cd ../cli && pnpm run build-base ; pnpm run build-ui-for-server ; pnpm run build-mobile
  • build-clicd cli && pnpm run build-base
  • build-clientcd client && pnpm run build-base
  • build-client-for-servercd client && node scripts/inject-version.cjs && npx ng build --configuration production --base-href /api/app/
  • build-copy-client-distnode -e "const fs=require('fs'),path=require('path'); const s=path.join('client','dist','ccap-revisioned','browser'),d='client-dist'; if(fs.existsSync(s)){ if(fs.existsSync(d)) fs.rmSync(d,{recursive:true}); fs.mkdirSync(d,{recursive:true}); fs.readdirSync(s).forEach(n=>fs.cpSync(path.join(s,n),path.join(d,n),{recursive:true})); }"
  • build-mobilenode scripts/run-build-mobile-pipeline.cjs full
  • build-mobile-after-client-buildnode scripts/run-build-mobile-pipeline.cjs after-client
  • build-mobile-apknode scripts/run-mobile-android-assemble-debug.cjs
  • build-mobile-copy-distnode scripts/copy-mobile-apk-to-dist.cjs
  • build-mobile-copy-wwwnode scripts/copy-client-dist-to-mobile-www.cjs
  • build-mobile-ensure-androidnode scripts/ensure-capacitor-android-platform.cjs
  • build-mobile-synccd mobile ; pnpm exec cap sync android
  • build-mobile-webcd client ; node scripts/inject-version.cjs ; ng build --configuration production --base-href ./
  • build-servercd server && pnpm run build-base
  • build-ui-for-serverpnpm run build-client-for-server && pnpm run build-copy-client-dist
  • canvas-to-mermaidts-node scripts/canvas-to-mermaid.ts
  • postinstallnpm run rebuild-robotjs
  • preppnpm i ; cd server ; pnpm i ; cd ../cli ; pnpm i ; cd ../client ; pnpm i ; cd ../mobile ; pnpm i ; cd ../e2e ; pnpm i ; cd ../e2e-mobile ; pnpm i
  • preparenode -e "const {execSync}=require('child_process'),fs=require('fs');if(process.env.CI||process.env.HUSKY==='0'||!fs.existsSync('.git'))process.exit(0);try{execSync('husky',{stdio:'inherit',shell:true});}catch(_){process.exit(0);}"
  • prepublishOnlynode -e "const fs=require('fs');if(!fs.existsSync('client-dist/index.html')){console.error('[prepublishOnly] client-dist/index.html missing - publish blocked. Run: pnpm run build-ui-for-server');process.exit(1);}console.log('[prepublishOnly] client-dist OK');" && node scripts/verify-publish-tarball.cjs && node scripts/verify-publish-smoke-install.cjs
  • rebuild-robotjsnode -e "const {execSync}=require('child_process'),fs=require('fs'),path=require('path');if(process.env.CI==='true'||process.env.SKIP_ROBOTJS_REBUILD==='1'||process.env.npm_config_global==='true')process.exit(0);if(!fs.existsSync(path.join(process.cwd(),'node_modules','robotjs')))process.exit(0);const o={stdio:'inherit',shell:true};try{try{execSync('pnpm rebuild robotjs',o);}catch(_){execSync('npm rebuild robotjs',o);}}catch(e){console.warn('[ccap-postinstall] robotjs rebuild skipped (non-blocking): '+(e&&e.message?e.message:String(e)));}"
  • run-e2e-against-serverpnpm run build-ui-for-server && npx concurrently -k -s first "cd server && pnpm start" "npx wait-on http://localhost:39050/api/app/ -t 90000 && pnpm run test-e2e:server -- tests/client-appearance.spec.ts tests/smoke.spec.ts"
  • startpnpm run prep ; pnpm run start-server
  • start-clientcd client && pnpm run serve
  • start-servercd server && pnpm start
  • start:server-with-uipnpm run build-ui-for-server ; cd server ; pnpm start
  • testcd cli && pnpm test ; cd ../server && pnpm test ; cd ../client && pnpm test
  • test-clicd cli && pnpm test
  • test-clientcd client && pnpm test
  • test-e2ecd e2e && pnpm test
  • …and 3 more.
Dependencies29
  • @agentclientprotocol/sdk^0.18.2
  • @discordjs/voice^0.19.2
  • @futdevpro/fsm-dynamo1.15.13
  • @futdevpro/nts-dynamo1.15.34
  • @inquirer/prompts^5.5.0
  • @lydell/node-pty1.2.0-beta.12
  • botbuilder^4.23.3
  • commander^12.1.0
  • discord.js^14.26.4
  • express~4.21.2
  • http-proxy-middleware~3.0.5
  • imapflow^1.3.3
  • jimp^1.6.1
  • mammoth^1.12.0
  • module-alias^2.3.4
  • multer^2.1.1
  • node-cron^3.0.3
  • node-telegram-bot-api^0.66.0
  • nodemailer^6.10.1
  • openai^6.39.0
  • pdf-parse^1.1.4
  • playwright^1.60.0
  • screenshot-desktop^1.15.4
  • sharp^0.33.5
  • socket.io~4.8.3
  • socket.io-client~4.8.3
  • tesseract.js^5.1.1
  • tslib~2.6.3
  • zod^4.4.3
Optional dependencies1
  • robotjs^0.6.0