Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 217
- Versions published
- 40
- First published
- Apr 2026
- Publisher
- may-keepur
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@keepur/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@keepur/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 79 · status changed
Evidence
Static findings
19 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/pkg/mcp/background-task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/clickup.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/code-task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/github-issues.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/google.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/keychain.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/linear.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/quo.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/recall.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/resend.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/search-conversation.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/server.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/skill-author.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/slack.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/voice.min.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/service/deploy.sh | matched "curl " | 12 |
| medium | Remote Payload | package/install/migrate-0.2.sh | matched "curl " | 12 |
Show all 19 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/pkg/mcp/background-task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/clickup.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/code-task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/github-issues.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/google.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/keychain.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/linear.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/quo.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/recall.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/resend.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/search-conversation.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/server.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/skill-author.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/slack.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/task.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/pkg/mcp/voice.min.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/service/deploy.sh | matched "curl " | 12 |
| medium | Remote Payload | package/install/migrate-0.2.sh | matched "curl " | 12 |
| low | Credential file access | package/pkg/mcp/keychain.min.js | matched "GITHUB_TOKEN" | 5 |
Manifest
Package metadata
Scripts28
buildtscbundlenpm run build && npx tsx build/bundle.tschecknpm run typecheck && npm run lint && npm run format:check && npm run testcheck:bundlenpm run bundle && node scripts/check-bundle-strings.mjs && node scripts/check-bundle-pack.mjs && node scripts/check-bundle-runtime.mjsdevnpx tsx src/index.tsformatprettier --write "src/**/*.ts" "setup/**/*.ts"format:checkprettier --check "src/**/*.ts" "setup/**/*.ts"linteslint src/ setup/lint:fixeslint --fix src/ setup/migrate:agents:add-rolesnpx tsx scripts/migrate-agents-add-roles.tsmigrate:agents:legacynpx tsx setup/migrate-agents.tsmigrate:contacts-categoriesnpx tsx scripts/migrate-contacts-categories.tsmigrate:split-crm-contactsnpx tsx setup/migrate-split-crm-contacts.tspostversiongit push --follow-tagsprepublishOnlynpm run bundlereindexnpx tsx scripts/code-index.tssetupnpx tsx src/cli.ts initsetup:constitutionnpx tsx setup/setup-constitution.tssetup:instancenpx tsx setup/setup-instance.tssetup:plistnpx tsx setup/generate-plist.tssetup:pluginsnpx tsx setup/sync-plugins.tssetup:seedsnpx tsx setup/setup-seeds.tsstartnode dist/index.jstestvitest runtest:coveragevitest run --coveragetest:watchvitesttypechecktsc --noEmitupdategit pull && npm install && npm run build
Dependencies17
@anthropic-ai/claude-agent-sdk^0.2.63@anthropic-ai/sdk^0.82.0@linear/sdk^76.0.0@modelcontextprotocol/sdk^1.27.1@qdrant/js-client-rest^1.17.0@slack/socket-mode^2.0.5@slack/web-api^7.14.1better-sqlite3^12.8.0brave-search-mcp^2.0.1csv-parse^6.1.0dotenv^17.3.1mammoth^1.11.0mongodb^7.1.0pdf-parse^2.4.5ws^8.19.0xlsx^0.18.5yaml^2.8.2