Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 624
- First published
- Mar 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@ouro.bot/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@ouro.bot/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/heart/daemon/skill-management-installer.js | matched "raw.githubusercontent.com" | 12 |
Manifest
Package metadata
Scripts27
audit:nervesnpm run build && node dist/nerves/coverage/cli-main.jsbluebubblestsc && node dist/senses/bluebubbles/entry.js --agent ouroborosbuildnode scripts/build.cjsclitsc && node dist/senses/cli-entry.jsdaemontsc && node dist/heart/daemon/daemon-entry.jsdevtsc && node dist/heart/daemon/ouro-bot-entry.js devlinteslint src/ourotsc && node dist/heart/daemon/ouro-entry.jspackage:verify-assetsnode scripts/package-assets.cjsprepacknpm run build && npm run package:verify-assetsrelease:bumpnode scripts/release-bump.cjsrelease:preflightnode scripts/release-preflight.cjsrelease:smokenode scripts/release-smoke.cjsrelease:trust:checknode scripts/npm-trusted-publishers.cjs checkrelease:trust:repairnode scripts/npm-trusted-publishers.cjs repairrelease:trust:repair-plannode scripts/npm-trusted-publishers.cjs repair-planteamstsc && node dist/senses/teams-entry.js --agent ouroborostestvitest runtest:coveragenode scripts/run-coverage-gate.cjstest:coverage:vitestvitest run --coveragetest:e2e:packagenpm run build && node scripts/package-e2e.cjstest:e2e:real-smokenpm run build && node scripts/nightly-real-smoke.cjstest:integrationnpm run build && vitest run --config vitest.integration.config.tstest:mailbox-uinpm test --prefix packages/mailbox-uitypecheck:mailbox-uitsc --noEmit -p packages/mailbox-ui/tsconfig.jsonvoice:evalnpm run build && node dist/senses/voice-realtime-eval-entry.jsworktree:bootstrapnpm install --ignore-scripts
Dependencies20
@anthropic-ai/sdk^0.78.0@azure/identity^4.13.0@azure/storage-blob^12.31.0@microsoft/teams.api2.0.11@microsoft/teams.apps2.0.11@microsoft/teams.cards2.0.11@microsoft/teams.common2.0.11@microsoft/teams.dev2.0.11@microsoft/teams.graph2.0.11@types/react^17.0.91@types/ws^8.18.1fast-glob^3.3.3ink^3.2.0mailparser^3.9.8openai^6.27.0react^17.0.2semver^7.7.4smtp-server^3.18.4stripe^22.0.0ws^8.20.0