PkgRadar

Package evidence

@gmickel/[email protected]

Credential file access: matched ".ssh"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
102
First published
Dec 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@gmickel/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@gmickel/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes8,835,366
Previous version1.6.0
Published2026-05-26T13:51:24.289Z
SHA-2562e38ed99b42e4e8a8ac6d57862817248101bf23cbfd4e8726f781437008a44df

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
1.7.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/mcp/tools/capture.tsmatched ".ssh"5
lowCredential file accesspackage/src/core/validation.tsmatched ".ssh"5

Manifest

Package metadata

Scripts85
  • bench:ast-chunkingbun scripts/ast-chunking-benchmark.ts
  • bench:code-embeddingsbun scripts/code-embedding-benchmark.ts
  • bench:code-embeddings:writebun scripts/code-embedding-benchmark.ts --write
  • bench:cpu-embeddingsbun scripts/cpu-embed-autoresearch.ts
  • bench:cpu-embeddings:native-batch-probebun scripts/native-embedding-batch-probe.ts
  • bench:general-embeddingsbun scripts/general-embedding-benchmark.ts
  • bench:general-embeddings:writebun scripts/general-embedding-benchmark.ts --write
  • buildbun build src/index.ts
  • build:csstailwindcss -i src/serve/public/globals.css -o src/serve/public/globals.built.css --minify
  • devbun run --hot src/index.ts
  • docs:verifybun run scripts/docs-verify.ts
  • evalbun --bun evalite
  • eval:hybridbun --bun evalite evals/hybrid.eval.ts
  • eval:hybrid:baselinebun scripts/hybrid-benchmark.ts --write
  • eval:hybrid:deltabun scripts/hybrid-benchmark.ts --delta
  • eval:retrieval-candidatesbun scripts/retrieval-candidate-benchmark.ts
  • eval:retrieval-candidates:writebun scripts/retrieval-candidate-benchmark.ts --write
  • eval:watchbun --bun evalite watch
  • evalsbun scripts/update-eval-scores.ts
  • lintoxlint --fix --type-aware --type-check && oxfmt .
  • lint:checkoxlint --type-aware --type-check && oxfmt --check .
  • preparelefthook install
  • prereleasebun run lint:check && bun test && bun run docs:verify && bun run test:package
  • release:dry-rungh workflow run publish.yml -f publish=false
  • release:triggergh workflow run publish.yml -f publish=true
  • research:embeddings:autonomous:confirm-winnerbun research/embeddings/autonomous/scripts/confirm-winner.ts
  • research:embeddings:autonomous:leaderboardbun research/embeddings/autonomous/scripts/leaderboard.ts
  • research:embeddings:autonomous:list-search-candidatesbun research/embeddings/autonomous/scripts/list-search-candidates.ts
  • research:embeddings:autonomous:run-candidatebun research/embeddings/autonomous/scripts/run-candidate.ts
  • research:embeddings:autonomous:searchbun research/embeddings/autonomous/scripts/search.ts
  • …and 55 more.
Dependencies42
  • @codemirror/lang-markdown6.5.0
  • @codemirror/theme-one-dark6.1.3
  • @modelcontextprotocol/sdk1.27.1
  • @radix-ui/react-collapsible1.1.12
  • @radix-ui/react-dialog1.1.15
  • @radix-ui/react-dropdown-menu2.1.16
  • @radix-ui/react-hover-card1.1.15
  • @radix-ui/react-progress1.1.8
  • @radix-ui/react-scroll-area1.2.10
  • @radix-ui/react-select2.2.6
  • @radix-ui/react-separator1.1.8
  • @radix-ui/react-slot1.2.4
  • @radix-ui/react-tooltip1.2.8
  • ai6.0.68
  • bun-plugin-tailwind0.1.2
  • class-variance-authority0.7.1
  • clsx2.1.1
  • cmdk1.1.1
  • codemirror6.0.2
  • commander14.0.3
  • embla-carousel-react8.6.0
  • franc6.2.0
  • lucide-react1.8.0
  • markitdown-ts0.0.9
  • minimatch10.2.3
  • nanoid5.1.6
  • node-llama-cpp3.18.1
  • officeparser6.0.4
  • picocolors1.1.1
  • react19.2.4
  • …and 12 more.