Package evidence
@kitn.ai/[email protected]
Suspicious Publish Context: {"package_age_days":1,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"edit_distance","target":"chai"},"version_anomaly":false,"new_account":false}
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 372
- Versions published
- 5
- First published
- Jun 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@kitn.ai/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@kitn.ai/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Suspicious Publish Context: {"package_age_days":1,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"edit_distance","target":"chai"},"version_anomaly":false,"new_account":false}
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Suspicious Publish Context | manifest | {"package_age_days":1,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"edit_distance","target":"chai"},"version_anomaly":false,"new_account":false} | 10 |
Manifest
Package metadata
Scripts21
buildvite build --config vite.config.ts && vite build --config vite.config.provider.tsbuild-storybooknpm run build:css && storybook buildbuild:apinode scripts/gen-element-api.mjsbuild:csstailwindcss -i src/elements/styles.css -o src/elements/compiled.css --minifybuild:css:watchtailwindcss -i src/elements/styles.css -o src/elements/compiled.css --watchbuild:schemasnode scripts/copy-card-schemas.mjsbuild:themenode scripts/build-theme-tokens.mjsdevnpm run build:css && storybook dev -p 6006dev:hostvite examples/remote-host --port 6006 --strictPortdev:providervite examples/remote-provider --port 6007 --strictPortexamplesecho 'Serving repo root on http://localhost:8000 — open http://localhost:8000/examples/composable/index.html' && python3 -m http.server 8000postbuildnpm run build:theme && npm run build:api && npm run build:schemasprebuildnpm run build:cssprepublishOnlynpm run buildstorybooknpm run build:css && storybook dev -p 6006testvitest runtest:e2eplaywright testtest:reactvitest run --config vitest.react.config.tstest:storybookvitest run --project=storybooktest:watchvitesttypechecktsc --noEmit && tsc --noEmit -p tsconfig.react.json && tsc --noEmit -p tsconfig.react.test.json
Dependencies11
@floating-ui/dom^1.7.6@shikijs/langs^4.2.0@shikijs/themes^4.2.0class-variance-authority^0.7.0clsx^2.1.0lucide-solid^0.400.0marked^18.0.0shiki^4.0.2solid-element^1.9.1solid-js^1.9.0tailwind-merge^2.5.0