Package evidence

@powerhousedao/[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 42
First published: May 2026
Publisher: memo.dev

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@powerhousedao/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@powerhousedao/[email protected]"],"fail_on":"review"}'

Publishermemo.dev

Artifact bytes24,718,507

Previous version0.1.0-dev.85

Published2026-06-11T20:07:49.377Z

SHA-2561cf00afdb6c484a6f9be620fd585837bb71594baacf5f1f5f8409874ff588251

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

6h agoLast checked

reviewRisk

20Score

0.1.0-dev.86Version

Status history (1 event)

new → available6h ago · risk review · score 20 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/browser/ssh-config-Bn41H2ww.js	matched ".ssh/"	5
low	Credential file access	package/dist/browser/ssh-config-CO27_JpW.js	matched ".ssh/"	5
low	Credential file access	package/dist/node/ssh-config-Bh5lnhN1.mjs	matched ".ssh/"	5
low	Credential file access	package/dist/node/ssh-config-fNmAA8iv.mjs	matched ".ssh/"	5
low	Obfuscation Density	package/dist/browser/chunk-727SXJPM-CRi_31OZ.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/node/chunk-727SXJPM-BjQJtF1O.mjs	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts15

buildph-cli build && tsc && tsc -p tsconfig.chat.json
check-circular-importsnpx dpdm -T ./index.ts
connectph-cli connect
generateph-cli generate
linteslint --config eslint.config.js --cache --cache-strategy content
lint:fixnpm run lint -- --fix
reactorph-cli reactor
serviceph-cli service
service-startupbash ./node_modules/@powerhousedao/ph-cli/dist/scripts/service-startup.sh
service-unstartupbash ./node_modules/@powerhousedao/ph-cli/dist/scripts/service-unstartup.sh
testvitest run
test:watchvitest
tsctsc
tsc:watchtsc --watch
vetraph-cli vetra

Dependencies32

@powerhousedao/analytics-engine-core6.0.0-dev.257
@powerhousedao/connect6.0.0-dev.257
@powerhousedao/design-system6.0.0-dev.257
@powerhousedao/document-engineering1.40.1
@powerhousedao/reactor-api6.0.0-dev.257
@powerhousedao/reactor-attachments6.2.0-dev.8
@powerhousedao/reactor-browser6.0.0-dev.257
@powerhousedao/shared6.0.0-dev.257
@radix-ui/react-use-controllable-state^1.2.2
@streamdown/cjk^1.0.3
@streamdown/code^1.1.1
@streamdown/math^1.0.2
@streamdown/mermaid^1.0.2
ai^6.0.174
class-variance-authority^0.7.1
clsx^2.1.1
cmdk^1.1.1
document-model6.0.0-dev.257
graphql16.12.0
graphql-tag^2.12.6
lucide-react^1.14.0
motion^12.38.0
nanoid^5.1.11
radix-ui^1.4.3
react^19.2.3
react-dom^19.2.3
shiki^4.0.2
streamdown^2.5.0
tailwind-merge^3.5.0
tw-animate-css^1.4.0
…and 2 more.