PkgRadar

Package evidence

@pan-sec/[email protected]

Credential file access: matched ".config/gcloud"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
134
Versions published
32Established · −30% score
First published
Nov 2025
Publisher
pantheonsecurity

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pan-sec/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pan-sec/[email protected]"],"fail_on":"review"}'
Publisherpantheonsecurity
Artifact bytes410,009
Previous version2026.3.3
Published2026-06-01T05:18:50.808Z
SHA-25674c67190b25e88cd4e07f3550eaccd96feedac5a54dc4b7f055cfa9141d4b4b1

Why flagged

What the scanner saw

Credential file access: matched ".config/gcloud"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
2026.4.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/tools/handlers/notebook-creation.jsmatched ".config/gcloud"5

Manifest

Package metadata

Scripts17
  • buildtsc
  • build:publishnode -e "require('fs').rmSync('dist',{recursive:true,force:true})" && tsc -p tsconfig.build.json
  • ci:installnpm ci --ignore-scripts
  • devtsx watch src/index.ts
  • discover-selectorsnpx tsx scripts/run-discovery.ts
  • postbuildnode -e "if(process.platform!=='win32'){require('fs').chmodSync('dist/index.js',0o755)}"
  • preparenpm run build:publish
  • prepublishOnlynpm run build:publish && node -e "if(process.platform!=='win32'){require('fs').chmodSync('dist/index.js',0o755)}"
  • security-checknpm audit
  • security-scanmedusa scan . --fail-on high
  • testnpx vitest run
  • test:coveragenpx vitest run --coverage
  • test:integrationnpx vitest run tests/mcp-server.integration.test.ts
  • test:mutationnpx stryker run --dryRunOnly
  • test:propertynpx vitest run tests/property-based.test.ts
  • test:watchnpx vitest
  • watchtsc --watch
Dependencies8
  • @google/genai1.41.0
  • @modelcontextprotocol/sdk1.29.0
  • @noble/post-quantum0.5.4
  • dotenv17.2.3
  • env-paths4.0.0
  • globby16.1.0
  • patchright1.57.0
  • pdf-lib1.17.1