Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 360
- Versions published
- 37
- First published
- Mar 2026
- Publisher
- waterson
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@guildai/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@guildai/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 39 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/chunk-JQRJ4A4S.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/chunk-M347HP6M.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/chunk-7JJT3RNI.js | 3900513 bytes | 10 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/chunk-JQRJ4A4S.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/chunk-M347HP6M.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/chunk-7JJT3RNI.js | 3900513 bytes | 10 |
| low | Credential file access | package/dist/index.js | matched ".npmrc" | 5 |
Manifest
Package metadata
Scripts20
buildnpm run build:types && npm run build:bundle && cp -r src/assets dist/build:bundlenode scripts/bundle.mjsbuild:image${CONTAINER_PROVIDER:-docker} build -t guildcode/guild-runtime:latest -f ../guildai/packages/runtime/Dockerfile ../guildai/packages/runtimebuild:linknpm run build && npm linkbuild:tsctsc && cp -r src/assets dist/build:typestsc --emitDeclarationOnlydevtsx src/index.tsformatprettier --write .format:checkprettier --check .format:fixprettier --write .linteslint src testprebuildpython3 scripts/sync-types-from-python.pyprepublishOnlynpm run build && npm run lint && npm run test:unittestvitest run test/unit --config vitest.unit.config.tstest:e2evitest run test/e2e --exclude='**/**.slow.test.ts'test:e2e:allvitest run test/e2etest:e2e:slowvitest run 'test/e2e/**/*.slow.test.ts'test:unitvitest run test/unit --config vitest.unit.config.tstest:watchvitesttypechecktsc --noEmit && tsc -p tsconfig.test.json --noEmit
Dependencies28
@inquirer/search^4.1.7@modelcontextprotocol/sdk^1.12.1@napi-rs/canvas^0.1.85@napi-rs/keyring^1.2.0axios^1.13.2chalk^5.3.0commander^12.1.0dotenv^16.4.7esbuild^0.28.0execa^9.6.1ink^5.0.1ink-text-input^6.0.0inquirer^12.11.1jsdom^27.3.0lottie-web^5.13.0marked^15.0.7marked-terminal^7.3.0open^10.2.0ora^8.1.1react^18.3.1sharp^0.34.5shell-quote^1.8.2string-width^7.2.0strip-ansi^7.2.0svg-pathdata^8.0.0svgdom^0.1.22ws^8.18.0zod^3.24.4