Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,440Niche · −30% score
- Versions published
- 29
- First published
- May 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@openhands/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@openhands/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 21 · status changed
Evidence
Static findings
39 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 39 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/i18n/declaration.cjs | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/node_modules/@openhands/extensions/skills/index.cjs | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/i18n/translation.cjs | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/build/assets/acp-providers-Dzb4nxxB.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/build/assets/declaration-D9ucT0fq.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/i18n/declaration.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/node_modules/@openhands/extensions/skills/index.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/i18n/translation.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/build/assets/vendor~root-layout~home~conversation-panel~conversation~launch~skills-settings~mcp~automati~dou5smdo-DPWYsRFL.js | matched ".ssh/" | 5 |
| low | Credential file access | package/build/locales/ar/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/ca/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/de/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/en/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/es/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/fr/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/it/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/ja/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/ko-KR/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/no/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/pt/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/tr/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/uk/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/zh-CN/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/build/locales/zh-TW/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/ar/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/ca/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/de/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/en/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/es/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/fr/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/it/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/ja/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/ko-KR/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/no/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/pt/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/tr/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/uk/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/zh-CN/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/locales/zh-TW/openhands.json | matched "AWS_ACCESS_KEY" | 3 |
Manifest
Package metadata
Scripts30
buildnpm run build:appbuild:appnpm run make-i18n && react-router buildbuild:dockernode scripts/docker-build.mjsbuild:libnpm run make-i18n && react-router typegen && cross-env BUILD_LIB=true VITE_APP_ENV=production vite build && tsc -p tsconfig.lib.jsonbuild:mocknpm run make-i18n && cross-env VITE_MOCK_API=true react-router buildcheck-translation-completenessnode scripts/check-translation-completeness.cjsdevnode --env-file-if-exists=.env scripts/dev-with-automation.mjsdev:extra-backendnode --env-file-if-exists=.env scripts/dev-extra-backend.mjsdev:frontendnpm run make-i18n && cross-env VITE_MOCK_API=false react-router devdev:minimalnode --env-file-if-exists=.env scripts/dev-safe.mjsdev:mocknpm run make-i18n && cross-env VITE_MOCK_API=true react-router devdev:staticnode --env-file-if-exists=.env scripts/dev-static.mjsdev_wslVITE_WATCH_USE_POLLING=true vitelintnpm run typecheck && eslint src && prettier --check src/**/*.{ts,tsx}lint:fixeslint src --fix && prettier --write src/**/*.{ts,tsx}make-i18nnode scripts/make-i18n-translations.cjsprelintnpm run make-i18npreparehuskypreviewvite previewstartnpx sirv-cli build/ --singletestnpm run make-i18n && vitest runtest:coveragenpm run make-i18n && vitest run --coveragetest:e2eplaywright test --pass-with-no-teststest:e2e:livenode --env-file-if-exists=.env tests/e2e/live/scripts/run-live-e2e.mjstest:e2e:mock-llmplaywright test --config=playwright.mock-llm.config.tstest:e2e:mock-llm:dockerplaywright test --config=playwright.mock-llm-docker.config.tstest:e2e:snapshotsplaywright test tests/e2e/snapshots --project=chromium --retries=0test:e2e:snapshots:updateplaywright test tests/e2e/snapshots --project=chromium --update-snapshotstypecheckreact-router typegen && tsctypecheck:stagedreact-router typegen && npx tsc --noEmit --skipLibCheck
Dependencies48
@heroui/react2.8.10@microlink/react-json-view1.31.20@monaco-editor/react4.7.0@openhands/extensions0.4.2@openhands/typescript-client1.24.3@react-router/node7.17.0@react-router/serve7.17.0@tailwindcss/vite4.2.4@tanstack/react-query5.100.9@types/shell-quote^1.7.5@uidotdev/usehooks2.4.1@xterm/addon-fit0.11.0@xterm/xterm6.0.0axios1.16.0class-variance-authority0.7.1clsx2.1.1downshift9.3.2framer-motion12.38.0i18next26.0.8i18next-browser-languagedetector8.2.1i18next-http-backend4.0.0isbot5.1.39lucide-react1.14.0monaco-editor0.55.1posthog-js1.372.6react19.2.5react-dom19.2.5react-hot-toast2.6.0react-i18next17.0.6react-icons5.6.0- …and 18 more.