PkgRadar

Package evidence

@holoscript/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
17
First published
Jan 2026
Publisher
brianonbased

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@holoscript/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@holoscript/[email protected]"],"fail_on":"review"}'
Publisherbrianonbased
Artifact bytes5,502,839
Previous version7.0.0
Published2026-06-01T03:28:02.623Z
SHA-2562ba950cc6f9dbb088141f7730ae881af66be2de42d7043537c71b59ed063d555

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
8.0.0Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/traits/index.cjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/traits/index.jsmatched "AWS_ACCESS_KEY"5
lowLarge Javascript Payloadpackage/dist/playwright-3AT3AKTV.cjs5241769 bytes0
lowLarge Javascript Payloadpackage/dist/playwright-VZPDVUEQ.js5201738 bytes0

Manifest

Package metadata

Scripts15
  • benchmark:critic-loopnode scripts/run-critic-loop-benchmark.mjs
  • benchmark:dispatch-policytsx src/compiler/dispatch/DispatchPolicyBenchmark.cli.ts
  • benchmark:export-targetsnode run-vitest.mjs src/compiler/__tests__/export-manager-all-targets-bench.test.ts
  • benchmark:paper10:compile-matrixnode scripts/run-paper10-compile-matrix.mjs
  • benchmark:paper10:compile-matrix:fullnode scripts/run-paper10-compile-matrix.mjs --full
  • benchmark:paper10:depth-distributionnode scripts/run-paper10-depth-distribution.mjs
  • benchmark:paper6:mecanim-matrixnode scripts/run-paper6-mecanim-matrix.mjs
  • buildnode scripts/verify-internal-workspace-protocol.mjs && tsup && node scripts/generate-types.mjs
  • devtsup --watch
  • testnode --max-old-space-size=16384 run-vitest.mjs
  • test:coveragenode --max-old-space-size=16384 run-vitest.mjs --coverage
  • test:watchvitest
  • typechecktsc --noEmit -p tsconfig.json
  • typecheck:narrowtsc --noEmit -p tsconfig.narrow.json
  • verify:workspacenode scripts/verify-internal-workspace-protocol.mjs
Dependencies10
  • @holoscript/agent-protocol^6.1.0
  • @holoscript/assimp-plugin^0.1.0
  • @holoscript/core-types^6.1.0
  • @holoscript/llm-provider^1.2.1
  • @holoscript/mesh^6.1.2
  • @holoscript/platform^6.1.1
  • @mediapipe/tasks-vision0.10.17
  • jose^6.2.2
  • jsonwebtoken^9.0.2
  • zod^4.3.6
Optional dependencies55
  • @gltf-transform/core^3.7.0
  • @gltf-transform/extensions^3.7.0
  • @gltf-transform/functions^3.7.0
  • @holoscript/alphafold-plugin^2.0.0
  • @holoscript/domain-plugin-template^0.0.1-template
  • @holoscript/medical-plugin^2.0.0
  • @holoscript/narupa-plugin^2.0.0
  • @holoscript/plugin-banking-finance^2.0.0
  • @holoscript/plugin-civil-engineering^2.0.0
  • @holoscript/plugin-culture-keyword^2.0.0
  • @holoscript/plugin-economic-primitives^2.0.0
  • @holoscript/plugin-education-lms^2.0.0
  • @holoscript/plugin-emergency-response^2.0.0
  • @holoscript/plugin-fashion^2.0.0
  • @holoscript/plugin-film-vfx^2.0.0
  • @holoscript/plugin-film3d-volumetrics^2.0.1
  • @holoscript/plugin-fitness-wellness^2.0.0
  • @holoscript/plugin-forensics^2.0.0
  • @holoscript/plugin-geolocation-gis^2.0.0
  • @holoscript/plugin-hardware-invention^2.0.0
  • @holoscript/plugin-hr-workforce^2.0.0
  • @holoscript/plugin-insurance^2.0.0
  • @holoscript/plugin-legal-document^2.0.0
  • @holoscript/plugin-manufacturing-qc^2.0.0
  • @holoscript/plugin-neuroscience^2.0.0
  • @holoscript/plugin-restaurant^2.0.0
  • @holoscript/plugin-retail-ecommerce^2.0.0
  • @holoscript/plugin-therapy^2.0.0
  • @holoscript/plugin-threat-intelligence^2.0.0
  • @holoscript/plugin-trait-audit^2.0.0
  • …and 25 more.