PkgRadar

Package evidence

@portel/[email protected]

Install-time lifecycle script: postinstall="npm run build:if-dev"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
85
Versions published
23Established · −30% score
First published
Sep 2025
Publisher
luracast

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'
Publisherluracast
Artifact bytes935,474
Previous version2.0.1
Published2025-12-29T17:07:23.955Z
SHA-25697cf195947ca0e5ae4cde6201f8c6397f679302c88ceb7d39ba0c2741f66c858

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="npm run build:if-dev"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
2.0.2Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="npm run build:if-dev"5

Manifest

Package metadata

Scripts45
  • buildnpm run extract-schemas && tsc && npm run copy-schemas && chmod +x dist/index.js dist/index-mcp.js
  • build:dxtnpm run build:mcpb
  • build:dxt:patchednpm run build:mcpb:patched
  • build:dxt:prodnpm run build:mcpb:prod
  • build:dxt:signednpm run build:mcpb:signed
  • build:if-dev[ -d node_modules/typescript ] && npm run build || echo 'Build skipped (production install)'
  • build:mcpbbash scripts/build-dxt-clean.sh
  • build:mcpb:patchednpm run build:mcpb && ./scripts/patch-dxt-zip.sh
  • build:mcpb:prodnpm run build:mcpb && npx @anthropic-ai/mcpb sign ncp.mcpb --cert cert.pem --key key.pem && npm run test:mcpb
  • build:mcpb:signednpm run build:mcpb:patched && npx @anthropic-ai/mcpb sign ncp.mcpb --self-signed && npm run test:mcpb
  • copy-schemasmkdir -p dist/internal-mcps && cp src/internal-mcps/*.schema.json dist/internal-mcps/ 2>/dev/null || true
  • devnpm run build && npm run start
  • extract-schemastsx scripts/extract-schemas.ts
  • postinstallnpm run build:if-dev
  • prepacknpm run build && npm run test:pre-publish
  • prepublishOnlynpm run build && npm run test:pre-publish && node scripts/sync-server-version.cjs
  • releaserelease-it
  • release:dryrelease-it --dry-run
  • startnode dist/index.js
  • statsnode scripts/check-dxt-downloads.js
  • testcross-env NODE_OPTIONS=--experimental-vm-modules jest --detectOpenHandles --forceExit
  • test:cinpm run test:critical && npm run test:e2e && npm run test:integration && npm run test:integration:dxt && npm run test:mcpb
  • test:clibash tests/cli-help-validation.sh
  • test:client-registrynode scripts/test-client-registry.js
  • test:coveragecross-env NODE_OPTIONS=--experimental-vm-modules jest --coverage --detectOpenHandles --forceExit
  • test:criticalcross-env NODE_OPTIONS=--experimental-vm-modules jest tests/mcp-server-protocol.test.ts tests/mcp-timeout-scenarios.test.ts --verbose --detectOpenHandles --forceExit
  • test:dxtnpm run test:mcpb
  • test:e2enpm run build && cross-env NODE_OPTIONS=--experimental-vm-modules jest tests/e2e --detectOpenHandles --forceExit --runInBand
  • test:e2e:clinpm run build && cross-env NODE_OPTIONS=--experimental-vm-modules jest tests/e2e/cli-integration.test.ts --verbose --detectOpenHandles --forceExit --runInBand
  • test:e2e:internal-mcpsnpm run build && cross-env NODE_OPTIONS=--experimental-vm-modules jest tests/e2e/internal-mcps-e2e.test.ts --verbose --detectOpenHandles --forceExit
  • …and 15 more.
Dependencies27
  • @anthropic-ai/sdk^0.67.0
  • @modelcontextprotocol/sdk^1.18.0
  • @napi-rs/keyring^1.2.0
  • @portel/photon-core^1.1.0
  • @types/prompts^2.4.9
  • @xenova/transformers^2.17.2
  • adm-zip^0.5.16
  • asciichart^1.5.25
  • chalk^5.3.0
  • chokidar^5.0.0
  • cli-graph^3.2.2
  • cli-highlight^2.1.11
  • clipboardy^4.0.0
  • commander^14.0.1
  • env-paths^3.0.0
  • human-signals^8.0.1
  • isolated-vm^6.0.2
  • js-yaml^4.1.1
  • json-colorizer^3.0.1
  • marked^15.0.12
  • marked-terminal^7.3.0
  • pdf-lib^1.17.1
  • prettyjson^1.2.5
  • prompts^2.4.2
  • tsx^4.20.6
  • uuid^11.0.5
  • yaml^2.8.1