Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 168Mature · −50% score
- First published
- May 2024
- Publisher
- locofy
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@locofy/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@locofy/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 12 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/skills/enhance-execute/references/build-rn-ios.sh | matched "curl " | 12 |
| medium | Remote Payload | package/dist/skills/agent-browser/references/setup-browser.sh | matched "curl " | 12 |
Manifest
Package metadata
Scripts15
buildtsc && tsc-alias && cpy default-files dist && cpy 'src/agent/tool/tools/*.txt' dist/agent/tool/tools && cpy 'src/agent/integrate/gradle-wrapper/**/*' dist/agent/integrate/gradle-wrapperbuild:minifynpm run build && npm run minifybundle:skillsnode ./src/agent/skills/bundle.mjslinkrimraf dist && npm run build && npm linklinteslint . --ext .ts --fixminifynode scripts/minify.mjspostbuildnpm run minify &&chmod +x dist/index.jsprebuildnpm run bundle:skills && node -e "const c=require('child_process').execSync('git rev-parse --short HEAD').toString().trim(); require('fs').writeFileSync('src/build-info.ts', '/** Auto-generated at build time. Do not edit manually. */\nexport const GIT_COMMIT = \x27'+c+'\x27;\n')"pretestnpm run bundle:skillstestjesttest-angularjest tests/angular/ --no-coveragetest:swiftuinpx ts-node -r tsconfig-paths/register tests/swiftui/test-integration.tstest:swiftui:allnpm run test:swiftui:types && npm run test:swiftuitest:swiftui:typesnpx ts-node tests/swiftui/test-type-decoder.tsunlinknpm unlink @locofy/cli -g
Dependencies63
@angular/cli21.1.4@babel/core^7.26.10@babel/plugin-syntax-jsx^7.25.9@babel/preset-env^7.26.0@babel/preset-flow^7.27.1@babel/preset-react^7.26.3@babel/preset-typescript^7.27.0@svgr/webpack^8.1.0@tailwindcss/postcss~4.1.4@vitejs/plugin-vue^6.0.4adm-zip^0.5.16archiver^7.0.1autoprefixer^10.4.21babel-loader^10.0.0colors-cli^1.0.33commander^13.1.0css-loader^7.1.2date-fns^4.1.0dotenv^16.5.0dotenv-webpack^8.1.0enquirer^2.4.1file-loader^6.2.0form-data^4.0.4html-element-attributes^3.4.0inquirer^12.5.2less^4.3.0marked^15.0.12marked-terminal^7.3.0mime-types^3.0.1mini-svg-data-uri^1.4.4- …and 33 more.
Optional dependencies2
tree-sitter^0.21.0tree-sitter-kotlin^0.3.7