PkgRadar

Package evidence

@kaelio/[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
20
First published
May 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@kaelio/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@kaelio/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,529,603
Previous version0.11.0
Published2026-06-12T16:45:28.988Z
SHA-256aa704e407d3f19b7cd7f7669b7be5bd69341114a583963abc2f9db034acde660

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
0.12.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/context/llm/claude-code-env.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/setup-databases.jsmatched ".ssh/"5

Manifest

Package metadata

Scripts13
  • assets:demonode scripts/build-demo-assets.mjs
  • buildtsc -p tsconfig.json && node dist/telemetry/schema-writer.js src/telemetry/events.schema.json ../../python/ktx-daemon/src/ktx_daemon/telemetry/events.schema.json && node scripts/copy-runtime-assets.mjs && node ../../scripts/prepare-cli-bin.mjs
  • cleannode -e "fs.rmSync('dist', { recursive: true, force: true })"
  • docs:commandspnpm run build && node dist/print-command-tree.js
  • relationships:benchmarkspnpm --silent run build && node ../../scripts/relationship-benchmark-report.mjs
  • relationships:benchmarks:testKTX_RUN_RELATIONSHIP_BENCHMARKS=1 vitest run test/context/scan/relationship-benchmarks.test.ts
  • search:pglite-owner-prototypenode ../../scripts/pglite-owner-process-prototype.mjs
  • search:pglite-sl-prototypenode ../../scripts/pglite-sl-search-prototype.mjs
  • search:pglite-spikenode ../../scripts/pglite-hybrid-search-spike.mjs
  • smokevitest run test/standalone-smoke.test.ts test/example-smoke.test.ts --testTimeout 30000
  • testvitest run --exclude test/standalone-smoke.test.ts --exclude test/example-smoke.test.ts --exclude test/setup-databases.test.ts --exclude test/scan.test.ts --exclude test/commands/connection-metabase-setup.test.ts --exclude test/setup-models.test.ts --exclude test/setup-sources.test.ts --exclude test/setup.test.ts --exclude test/connection.test.ts --exclude test/setup-embeddings.test.ts --exclude test/ingest.test.ts --exclude test/commands/connection-mapping.test.ts --exclude test/ingest-viz.test.ts --exclude test/demo.test.ts --exclude test/setup-project.test.ts --exclude test/sl.test.ts --exclude test/local-scan-connectors.test.ts --exclude test/commands/connection-notion.test.ts --exclude test/context/scan/local-scan.test.ts --exclude test/context/mcp/local-project-ports.test.ts --exclude test/context/ingest/local-stage-ingest.test.ts --exclude test/context/sl/pglite-sl-search-prototype.test.ts --exclude test/context/core/git.service.test.ts --exclude test/context/ingest/local-adapters.test.ts --exclude test/context/ingest/local-bundle-ingest.test.ts --exclude test/context/ingest/local-metabase-ingest.test.ts --exclude test/context/sl/local-sl.test.ts --exclude test/context/search/pglite-owner-process.test.ts --exclude test/context/scan/local-enrichment-artifacts.test.ts --exclude test/context/search/pglite-spike.test.ts --exclude test/context/wiki/local-knowledge.test.ts --exclude test/context/sl/local-query.test.ts --exclude test/context/scan/relationship-review-decisions.test.ts --exclude test/context/scan/relationship-profiling.test.ts
  • test:slowvitest run test/setup-databases.test.ts test/scan.test.ts test/commands/connection-metabase-setup.test.ts test/setup-models.test.ts test/setup-sources.test.ts test/setup.test.ts test/connection.test.ts test/setup-embeddings.test.ts test/ingest.test.ts test/commands/connection-mapping.test.ts test/ingest-viz.test.ts test/demo.test.ts test/setup-project.test.ts test/sl.test.ts test/local-scan-connectors.test.ts test/commands/connection-notion.test.ts test/context/scan/local-scan.test.ts test/context/mcp/local-project-ports.test.ts test/context/ingest/local-stage-ingest.test.ts test/context/sl/pglite-sl-search-prototype.test.ts test/context/core/git.service.test.ts test/context/ingest/local-adapters.test.ts test/context/ingest/local-bundle-ingest.test.ts test/context/ingest/local-metabase-ingest.test.ts test/context/sl/local-sl.test.ts test/context/search/pglite-owner-process.test.ts test/context/scan/local-enrichment-artifacts.test.ts test/context/search/pglite-spike.test.ts test/context/wiki/local-knowledge.test.ts test/context/sl/local-query.test.ts test/context/scan/relationship-review-decisions.test.ts test/context/scan/relationship-profiling.test.ts --testTimeout 30000
  • type-checktsc -p tsconfig.json --noEmit && tsc -p tsconfig.test.json --noEmit
Dependencies35
  • @ai-sdk/anthropic3.0.78
  • @ai-sdk/devtools0.0.18
  • @ai-sdk/google-vertex^4.0.134
  • @anthropic-ai/claude-agent-sdk0.3.146
  • @clack/core1.3.1
  • @clack/prompts1.4.0
  • @clickhouse/client^1.18.5
  • @commander-js/extra-typings14.0.0
  • @google-cloud/bigquery^8.3.1
  • @looker/sdk^26.8.0
  • @looker/sdk-node^26.8.0
  • @looker/sdk-rtl^21.6.5
  • @modelcontextprotocol/sdk^1.29.0
  • @notionhq/client^5.22.0
  • @openai/codex-sdk^0.133.0
  • ai^6.0.188
  • better-sqlite3^12.10.0
  • commander14.0.3
  • fflate^0.8.3
  • handlebars^4.7.9
  • ink^7.0.3
  • lookml-parser7.1.0
  • minimatch^10.2.5
  • mssql^12.5.4
  • mysql2^3.22.3
  • openai^6.38.0
  • p-limit^7.3.0
  • pg^8.21.0
  • posthog-node^5.34.9
  • react^19.2.6
  • …and 5 more.