Package evidence

@proofofwork-agency/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 10
First published: May 2026
Publisher: proofofworkagency

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@proofofwork-agency/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@proofofwork-agency/[email protected]"],"fail_on":"review"}'

Publisherproofofworkagency

Artifact bytes757,138

Previous version1.1.3

Published2026-05-19T16:38:50.126Z

SHA-256b77a1a1a5124453b7b4c3a989d62b0c02c0b42fa41056b3e255c0169d6f29741

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18d agoLast checked

reviewRisk

15Score

1.1.4Version

Status history (1 event)

new → available18d ago · risk review · score 15 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 4 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/plugins/contextrelay/server/bridge-server.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/plugins/contextrelay/server/daemon.js	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	postinstall="node scripts/postinstall.cjs"	5
low	Large Javascript Payload	package/dist/cli.js	2677624 bytes	0

Manifest

Package metadata

Scripts17

build:climkdir -p dist && bun build src/cli.ts --outfile dist/cli.js --target bun && node scripts/strip-generated-whitespace.cjs dist/cli.js && chmod +x dist/cli.js
build:pluginmkdir -p plugins/contextrelay/server && bun build src/bridge.ts --outfile plugins/contextrelay/server/bridge-server.js --target bun && bun build src/daemon.ts --outfile plugins/contextrelay/server/daemon.js --target bun && node scripts/strip-generated-whitespace.cjs plugins/contextrelay/server/bridge-server.js plugins/contextrelay/server/daemon.js
checktsc --noEmit && bun test src && bun run test:examples && bun run verify:cli-sync && bun run verify:plugin-sync && bun run verify:docs-sync && bun run validate:plugin && bun scripts/check-plugin-versions.js && node scripts/check-lockfile.cjs
check:bunnode scripts/check-bun.cjs
postinstallnode scripts/postinstall.cjs
prepublishOnlynpm run check:bun && bun run check && bun run build:cli && bun run build:plugin && bun run check && node scripts/build-info.cjs && bun run verify:package
preuninstallnode scripts/preuninstall.cjs
startbun run src/bridge.ts
testbun test src
test:examplesbun test ./examples/shopping-basket/basket.test.js
typechecktsc --noEmit
validate:pluginnode scripts/validate-plugin.cjs
validate:plugin-versionsbun scripts/check-plugin-versions.js
verify:cli-syncnode scripts/verify-cli-sync.cjs
verify:docs-syncnode scripts/verify-docs-sync.cjs
verify:packagenode scripts/verify-package.cjs
verify:plugin-syncnode scripts/verify-plugin-sync.cjs

Dependencies3

ink7.0.3
react19.2.6
react-devtools-core7.0.1