Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 905
- Versions published
- 61Established · −30% score
- First published
- Nov 2025
- Publisher
- luracast
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 72 · status available -> available, risk high -> review, score 194 -> 72
- new → available · risk high · score 194 · status changed
Related candidates
Linked campaigns and clusters
luracast
2 members · evidence strength 64Install Lifecycle Suppresses Failure — prepare="git config core.hookspath .githooks || true"
4 members · evidence strength 87Install Lifecycle Suppresses Failure — prepare="git config core.hooksPath .githooks || true"
2 members · evidence strength 70Evidence
Static findings
20 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/cli/commands/changelog.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/cli/commands/package-app.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Large Javascript Payload | package/dist/beam-ts-worker.js | 9969362 bytes | 10 |
| medium | Large Javascript Payload | package/dist/beam.bundle.js | 3910286 bytes | 10 |
Show all 20 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/cli/commands/changelog.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/cli/commands/package-app.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Large Javascript Payload | package/dist/beam-ts-worker.js | 9969362 bytes | 10 |
| medium | Large Javascript Payload | package/dist/beam.bundle.js | 3910286 bytes | 10 |
| low | Credential file access | package/dist/cli/commands/package.js | matched "GITHUB_TOKEN" | 5 |
| low | Obfuscation | package/dist/auth/mcp-jwt.js | matched "Buffer.from(parts[2], 'base64" | 3 |
| low | Obfuscation | package/dist/auto-ui/beam.js | matched "\\u26a1" | 3 |
| low | Obfuscation | package/dist/auto-ui/beam/routes/api-browse.js | matched "Buffer.from(contentBlob, 'base64" | 3 |
| low | Obfuscation | package/dist/auto-ui/bridge/renderers.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/auto-ui/streamable-http-transport.js | matched "Buffer.from(cursor, 'base64" | 3 |
| low | Obfuscation | package/dist/beam-form.bundle.js | matched "\\u2605" | 3 |
| low | Obfuscation | package/dist/cli/commands/build.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/daemon/constructor-env-replay.js | matched "Buffer.from(raw, 'base64" | 3 |
| low | Obfuscation | package/dist/loader.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/photon-cli-runner.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/dist/serv/auth/jwt.js | matched "Buffer.from(signatureB64, 'base64" | 3 |
| low | Obfuscation | package/dist/serv/vault/token-vault.js | matched "Buffer.from(ciphertext, 'base64" | 3 |
| low | Obfuscation | package/dist/shared/asset-encoding.js | matched "Buffer.from(value.slice(BASE64" | 3 |
| low | Obfuscation | package/dist/template-manager.js | matched "\\u2014" | 3 |
Manifest
Package metadata
Scripts89
buildeslint src/ --quiet && tsc && cp -r src/photons dist/ && chmod +x dist/cli.js && node scripts/build-beam.mjsbuild:beamnode scripts/build-beam.mjsdevtsc --watchdev:beambun run build && bun run build:beam && (trap 'kill 0' EXIT; tsc --watch --preserveWatchOutput & node scripts/build-beam.mjs --watch & sleep 1 && tsx watch src/cli.ts beam)formatprettier --write "src/**/*.ts"format:checkprettier --check "src/**/*.ts"knipkniplinteslint src/lint:fixeslint src/ --fixpreparegit config core.hooksPath .githooks || trueprepublishOnlybun run verify:publish-version && node -e "const p=require('./package.json'); if(JSON.stringify(p.dependencies).includes('file:')) { console.error('ERROR: file: dependency found.'); process.exit(1); }" && node -e "const fs=require('fs'),path=require('path'); const p=require('./package.json'); for(const d of Object.keys(p.dependencies||{})){const t=path.join('node_modules',d); if(fs.lstatSync(t).isSymbolicLink()){console.error('ERROR: '+d+' is linked. Run: bun remove '+d+' && bun add '+d); process.exit(1);}}" && bun run build && bun run build:beamreleaserelease-itrelease:dryrelease-it --dry-runrelease:majorrelease-it majorrelease:minorrelease-it minorrelease:patchrelease-it patchtestbash scripts/run-tests.shtest:a2uibun run build && tsx tests/a2ui-mapper.test.ts && tsx tests/a2ui-e2e.test.ts && tsx tests/a2ui-renderer-script.test.tstest:allbun run build && bun run test:security && bun run test:schema && bun run test:marketplace && bun run test:loader && bun run test:server && bun run test:integration && bun run test:byte-compat && bun run test:format-registry && bun run test:content-negotiation && bun run test:ui-resources && bun run test:client-adaptive && bun run test:zero-config && bun run test:mcp-config && bun run test:cli && bun run test:intent && bun run test:logger && bun run test:error-handler && bun run test:validation && bun run test:daemon-pubsub && bun run test:daemon-buffer && bun run test:instance-drift && bun run test:daemon-watcher && bun run test:ui-rendering && bun run test:photon-instance-manager && bun run test:viewport-aware-proxy && bun run test:viewport-manager && bun run test:pagination-integration && bun run test:pagination-performance && tsx tests/pagination-phase5.test.ts && tsx tests/pagination-phase5c.test.ts && tsx tests/pagination-phase5d.test.ts && tsx tests/phase6a-service-worker.test.ts && tsx tests/phase6b-offline-state.test.ts && tsx tests/phase6c-offline-sync.test.ts && tsx tests/phase6d-integration.test.ts && tsx tests/promises.test.ts && bun run test:cf-bindings && bun run test:cf-runtime && bun run test:cf-overrides && bun run test:cf-deploy && bun run test:cf-mcp-bearer && bun run test:readmetest:beambun run build && tsx tests/beam/rendering.test.tstest:beam:regressionsbun run build && tsx tests/beam/beam-integration-regressions.test.tstest:bridgebun run test:bridge:generation && bun run test:bridge:protocol && bun run test:bridge:beamtest:bridge:beamtsx tests/bridge/beam-integration.test.tstest:bridge:generationtsx tests/bridge/bridge-generation.test.tstest:bridge:protocoltsx tests/bridge/protocol.test.tstest:byte-compatRUN_E2E=1 vitest run tests/v128-byte-compat.test.tstest:cf-bindingsvitest run tests/cf-bindings-parser.test.tstest:cf-deployvitest run tests/cf-deploy-toml.test.tstest:cf-mcp-bearervitest run tests/cf-mcp-bearer.test.tstest:cf-overridesvitest run tests/cf-overrides.test.ts- …and 59 more.
Dependencies17
@chenglou/pretext^0.0.7@modelcontextprotocol/ext-apps^1.0.1@modelcontextprotocol/sdk^1.29.0@portel/cli^1.1.0@portel/photon-core^2.27.0boxen^8.0.1chalk^5.4.1chart.js^4.5.1chokidar^4.0.3cli-highlight^2.1.11cli-table3^0.6.5commander^12.1.0esbuild^0.28.0fast-json-patch^3.1.1miniflare^4.20260507.1ora^9.3.0qrcode^1.5.4
Optional dependencies1
better-sqlite3^12.9.0