Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 4,905Niche · −30% score
- Versions published
- 84
- First published
- Apr 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@hegemonart/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@hegemonart/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/hooks/update-check.sh | matched "curl " | 12 |
Manifest
Package metadata
Scripts44
build:bundlesnode scripts/build-distribution-bundles.cjsbuild:harnessesnode scripts/generate-harnesses-md.cjsbuild:harnesses:checknode scripts/generate-harnesses-md.cjs --checkbuild:sdknode scripts/build-sdk-bins.cjsbuild:skill-graphnode scripts/generate-skill-graph.cjsbuild:skill-graph:checknode scripts/generate-skill-graph.cjs --checkbuild:skillsnode scripts/build-skills.cjsbuild:skills:checknode scripts/build-skills.cjs --checkbuild:stylenode scripts/generate-style-md.cjsbuild:style:checknode scripts/generate-style-md.cjs --checkcheck:domain-linksnode scripts/check-domain-cross-links.cjscheck:harness-freshnessnode scripts/check-harness-freshness.cjscheck:no-duplicationnode scripts/check-no-duplication.cjscodegen:schemasnode --experimental-strip-types scripts/codegen-schema-types.tsdetect:stale-refsnode scripts/detect-stale-refs.cjsgdd-sdknode --experimental-strip-types sdk/cli/index.tsgenerate:skill-frontmatternode scripts/generate-skill-frontmatter.cjsgenerate:skill-frontmatter:checknode scripts/generate-skill-frontmatter.cjs --checklint:agentskillsnode scripts/lint-agentskills-spec.cjslint:changelognode scripts/lint-changelog.cjslint:designnode bin/gdd-detect test/fixtures/detect/negative --jsonlint:linksnpx --yes lychee --no-progress --accept 200,206,403,429 "**/*.md" || truelint:mdnpx --yes markdownlint-cli2 "**/*.md" "#**/node_modules" "#.planning" "#.claude" "#test/fixtures/baselines"lint:prosenode scripts/lint-prose.cjspostpacknode scripts/build-sdk-bins.cjs --cleanprepacknpm run build:sdkrelease:extract-changelognode scripts/extract-changelog-section.cjsscan:injectionnode scripts/run-injection-scanner-ci.cjsscan:outboundnode scripts/scan-outbound-network.cjsscan:ws-bindnode scripts/scan-ws-bind.cjs- …and 14 more.
Dependencies4
@anthropic-ai/claude-agent-sdk^0.3.143@clack/prompts^1.2.0@modelcontextprotocol/sdk^1.0.0ajv^8.18.0
Optional dependencies2
pngjs^7.0.0ws^8.20.0