Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@lon-ask/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@lon-ask/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 57 · status changed
Evidence
Static findings
7 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/apps/server/dist/routes/build.js | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/dist/mcp-http.js | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/src/routes/build.ts | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/src/mcp-http.ts | matched "curl " | 12 |
Show all 7 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/apps/server/dist/routes/build.js | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/dist/mcp-http.js | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/src/routes/build.ts | matched "curl " | 12 |
| medium | Remote Payload | package/apps/server/src/mcp-http.ts | matched "curl " | 12 |
| low | Obfuscation | package/apps/client/dist/assets/index-CKv6gxre.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/apps/server/dist/services/textExtractor.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/apps/server/src/services/textExtractor.ts | matched "fromCharCode" | 3 |
Manifest
Package metadata
Scripts10
buildnpm run build:server && npm run build:clientbuild:clientnpm run build -w apps/clientbuild:embeddingsnpm run build -w packages/embeddingsbuild:servernpm run build:embeddings && npm run build -w apps/serverdesktop:buildnpm run build:server && npm run tauri -w apps/client -- builddesktop:devnpm run build:server && npm run tauri -w apps/client -- devdevconcurrently "npm run dev:server" "npm run dev:client"dev:clientnpm run dev -w apps/clientdev:servernpm run dev -w apps/serverprepublishOnlynpm run build
Dependencies22
@antora/cli^3.1.14@antora/site-generator^3.2.0-alpha.11@asciidoctor/core^2.2.9@cfworker/json-schema^4.1.1@modelcontextprotocol/server^2.0.0-alpha.2@tailwindcss/vite^4.0.0@vitejs/plugin-react^4.3.4better-sqlite3^12.10.0cors^2.8.5express^4.21.2js-yaml^4.1.1lucide-react^0.469.0marked^18.0.3node-html-parser^6.1.13react^19.0.0react-dom^19.0.0react-router-dom^7.1.1tailwindcss^4.0.0tsx^4.19.2unzipper^0.12.3uuid^11.0.5vite^6.0.7
Optional dependencies2
@lancedb/lancedb^0.27.2@lon-ask/dockit-embeddings^0.1.7