Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 666,614Ubiquitous · −70% score
- Versions published
- 44Mature · −50% score
- First published
- Jun 2024
- Publisher
- wxai-sdk-automation
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@ibm-cloud/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@ibm-cloud/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".aws"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 6 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/config/endpoints.js | matched ".aws" | 5 |
| low | Credential file access | package/authentication/utils/urls.js | matched ".aws" | 5 |
| low | Credential file access | package/config/endpoints.mjs | matched ".aws" | 5 |
| low | Credential file access | package/authentication/utils/urls.mjs | matched ".aws" | 5 |
Manifest
Package metadata
Scripts30
allnpm run test-unit && npm run lintbuild./scripts/buildcheck-packagesinstalled-check -e -d -vcleanrm -rf node_moduleseslint:checkeslint . --cacheeslint:fixeslint . --fixformatprettier --config .prettierrc.js --write "src" "scripts" "test"generate-types-reexportsnode scripts/utils/generate-types-reexports.cjsinstall-package-examplesnpm run local-publish && cd ./examples && npm run test-installinstall-package-regressionnpm run local-publish && cd ./test/langchain && npm run test-installjestNODE_OPTIONS="$NODE_OPTIONS --experimental-vm-modules" jest --lintnpm run eslint:checklint-fixnpm run eslint:fixlocal-publishnpm run build && command -v yalc >/dev/null 2>&1 || npm install -g yalc && (cd dist/ && yalc publish)postversionpublisher --no-checks --dry-runpreversionrm -rf examples/node_modulestestnpm run build && npm run lint && jesttest-allnpm run build && npm run lint && jest test/test-examplesnpm run local-publish && cd ./examples && npm run test-alltest-examples-langchainnpm run local-publish && cd ./examples && npm run test-langchaintest-examples-sdknpm run local-publish && cd ./examples && npm run test-sdktest-ilabnpm run build && jest test/integration/watsonx-ai-ml-ilab.vml_v1.test.js --testPathIgnorePatterns=''test-integrationnpm run build && jest test/integration/test-loranpm run build && jest test/integration/watsonx-ai-ml-lora_qlora.vml_v1.test.js --testPathIgnorePatterns=''test-regression./scripts/tests/run-regression-tests.shtest-unitnpm run build && npm run lint && jest test/unit/typedoctypedoctypedoc-mergetypedoc --entryPointStrategy mergeupdate-copyrightsnode ./scripts/utils/update-copyrights.cjsversionnode scripts/utils/check-version.cjs && git add src/version.ts
Dependencies2
form-data^4.0.4ibm-cloud-sdk-core^5.4.14