Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@ggui-ai/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@ggui-ai/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".AWS"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 429 · status changed
Evidence
Static findings
64 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/evaluation/evaluator.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/evaluation/index.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/evaluation/loop.js | matched ".AWS" | 30 |
| high | Credential file access | package/src/providers/bedrock.ts | matched ".aws" | 30 |
| high | Credential file access | package/src/harness/llm-router.ts | matched ".AWS" | 30 |
| medium | Obfuscation Density | package/dist/boilerplate.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/tools/get-primitives-ts.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/coding-agent/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/validation/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/prompts.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/provider-adapter-contract.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/runtime.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/types-public.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/adapters/generation-dispatch.js | 4901774 bytes | 10 |
| medium | Large Javascript Payload | package/dist/adapters/index.js | 8538617 bytes | 10 |
| medium | Large Javascript Payload | package/dist/index.js | 12817474 bytes | 10 |
Show all 64 findings (low-signal and informational)
Showing 60 of 64 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/evaluation/evaluator.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/evaluation/index.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/evaluation/loop.js | matched ".AWS" | 30 |
| high | Credential file access | package/src/providers/bedrock.ts | matched ".aws" | 30 |
| high | Credential file access | package/src/harness/llm-router.ts | matched ".AWS" | 30 |
| medium | Obfuscation Density | package/dist/boilerplate.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/tools/get-primitives-ts.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/coding-agent/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/validation/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/prompts.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/provider-adapter-contract.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/runtime.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/harness/types-public.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/adapters/generation-dispatch.js | 4901774 bytes | 10 |
| medium | Large Javascript Payload | package/dist/adapters/index.js | 8538617 bytes | 10 |
| medium | Large Javascript Payload | package/dist/index.js | 12817474 bytes | 10 |
| low | Obfuscation | package/dist/blueprint-validator.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/boilerplate.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/coding-agent/boilerplate.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/compose.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/design-system-docs.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/evaluator.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/get-primitives-ts.js | matched "\\u2550" | 3 |
| low | Obfuscation | package/dist/tools/get-wire.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/check/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/coding-agent/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/axis-checks/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/fragments/index.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/harness/check/runtime-render/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/harness/index.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/providers/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/validation/index.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/loop.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/patch.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/prompts.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/harness/prompts.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/provider-adapter-contract.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/adapters/openai/raw.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/evaluation/axis-checks/registry.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/render-check-worker.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/render-check.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/harness/runtime.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools.js | matched "\\u2502" | 3 |
| low | Obfuscation | package/dist/evaluation/types-public.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/harness/types-public.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/validation/ui-compiler.js | matched "\\xD7" | 3 |
| low | Obfuscation | package/dist/user-request.js | matched "\\u26A0" | 3 |
| low | Obfuscation | package/dist/harness/validator-trace-sink.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/workflows.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/src/coding-agent/file-agent.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/tools/get-primitives-ts.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/harness/coding/init-session.ts | matched "Eval(" | 3 |
| low | Obfuscation | package/src/evaluation/llm-evaluator.ts | matched "Eval(" | 3 |
| low | Obfuscation | package/src/coding-agent/planner.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/validation/primitives.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/coding-agent/prompts.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/harness/prompts.ts | matched "eval(" | 3 |
| low | Obfuscation | package/src/harness/coding/run-eval-round.ts | matched "Eval(" | 3 |
Manifest
Package metadata
Scripts5
buildtsupdevtsup --watchtestvitest runtest:watchvitesttypechecktsc --noEmit
Dependencies21
@anthropic-ai/bedrock-sdk^0.29.0@anthropic-ai/claude-agent-sdk0.2.76@anthropic-ai/sdk^0.91.1@ggui-ai/design0.1.0-rc.3@ggui-ai/gadgets0.1.0-rc.3@ggui-ai/sandbox0.1.0-rc.3@ggui-ai/ui-visual-tester0.1.0-rc.3@ggui-ai/wire0.1.0-rc.3@google/genai^1.45.0@huggingface/transformers^3.0.0@typescript-eslint/parser^8.0.0diff^8.0.3esbuild^0.25.0eslint^8.56.0eslint-plugin-react^7.37.0eslint-plugin-react-hooks^5.0.0isomorphic-git^1.37.4memfs^4.56.11openai^6.29.0typescript^5.0.0zod^4.0.0