Package evidence

@raishin/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 18
First published: Apr 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@raishin/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@raishin/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes5,316,097

Previous version2.3.0

Published2026-05-21T08:32:24.239Z

SHA-256cceb47f6f5842ebdc9750760e185604ec2ecef39708d95d165bf8d38952843bd

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18d agoLast checked

reviewRisk

45Score

2.5.0Version

Status history (1 event)

new → available18d ago · risk review · score 45 · status changed

Evidence

Static findings

221 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/catalog/agents.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-capacity-planner-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-cost-optimization-analyst-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-maestro-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-security-hardening-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/metadata.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/metadata.json	matched "curl "	12
medium	Remote Payload	package/skills/contabo/contabo-live-instance-lifecycle-guard/metadata.json	matched "curl "	12
medium	Remote Payload	package/skills/contabo/contabo-live-storage-operations-guard/metadata.json	matched "curl "	12
medium	Remote Payload	package/catalog/skills.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-capacity-planner-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-cost-optimization-analyst-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-maestro-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-security-hardening-agent/harnesses/codex.toml	matched "curl "	12

Show all 221 findings (low-signal and informational)

Showing 60 of 221 findings.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/catalog/agents.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-capacity-planner-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-cost-optimization-analyst-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-maestro-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-security-hardening-agent/harnesses/kiro-cli.agent.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/metadata.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/metadata.json	matched "curl "	12
medium	Remote Payload	package/skills/contabo/contabo-live-instance-lifecycle-guard/metadata.json	matched "curl "	12
medium	Remote Payload	package/skills/contabo/contabo-live-storage-operations-guard/metadata.json	matched "curl "	12
medium	Remote Payload	package/catalog/skills.json	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-capacity-planner-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-cost-optimization-analyst-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-instance-lifecycle-guard-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-live-storage-operations-guard-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-maestro-agent/harnesses/codex.toml	matched "curl "	12
medium	Remote Payload	package/agents/contabo/contabo-security-hardening-agent/harnesses/codex.toml	matched "curl "	12
low	Credential file access	package/scripts/generate-kiro-powers.mjs	matched "kubeconfig"	5
low	Credential file access	package/catalog/agents.json	matched ".aws"	3
low	Credential file access	package/agents/alibaba/alibaba-live-ack-rollout-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/finops/finops-kubernetes-rightsizer-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/gcp/gcp-live-gke-rollout-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/huawei/huawei-live-cce-rollout-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/huawei/huawei-secmaster-security-operations-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/ionos/ionos-kubernetes-platform-operator-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-agentic-ai-platform-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-ai-infrastructure-operations-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-ai-networking-fabric-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-ai-operations-day2-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-generative-ai-platform-review-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-gpu-operator-kubernetes-hardening-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-maestro-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3
low	Credential file access	package/agents/nvidia/nvidia-ngc-nim-supply-chain-governor-agent/harnesses/kiro-cli.agent.json	matched "kubeconfig"	3

Manifest

Package metadata

Scripts39

agents:exportnode scripts/export-marketplace-agents.mjs
asset-integrity:writepython3 tests/validate-asset-integrity.py --write
cursor-plugin:writenode scripts/generate-cursor-plugin.mjs
kiro-powers:writenode scripts/generate-kiro-powers.mjs
lint:docsnpm run lint:md && npm run lint:spell
lint:mdnpx --yes markdownlint-cli2 "**/*.md" "#node_modules" "#.git" "#.code-review-graph" "#CHANGELOG.md"
lint:spellcodespell
maestro-routing:writepython3 tests/_generate_maestro_routing_fixtures.py
manifest:checkpython3 tests/validate-skill-manifest.py
manifest:writepython3 tests/validate-skill-manifest.py --write
manifest:write:allnpm run manifest:write & npm run plugin-manifest:write & npm run cursor-plugin:write & npm run kiro-powers:write & npm run asset-integrity:write & npm run readme-counts:write & wait
plugin-manifest:writenode scripts/generate-plugin-manifest.mjs
readme-counts:writenode scripts/generate-readme-counts.mjs
release:sbomcommand -v syft >/dev/null 2>&1 && syft scan dir:. -o spdx-json=sbom.spdx.json || echo 'syft not installed; SBOM is generated in CI by anchore/sbom-action'
test:copilot-bundlingpython3 tests/test-copilot-skill-bundling.py
test:cursor-kiro-noticesnode tests/export-cursor-kiro-skill-notice.test.mjs
test:fuzznode tests/fuzz-properties.test.mjs
test:gemini-bundlingpython3 tests/test-gemini-skill-bundling.py
test:marketplace-validatorspython3 tests/test-marketplace-validators.py
validatenpm run validate:catalog && npm run validate:aws && npm run manifest:check && npm run validate:allowed-tools && npm run validate:skill-schema && npm run validate:agent-schema && npm run validate:links && npm run validate:asset-integrity && npm run validate:mcp-trust-matrix && npm run validate:no-lifecycle-scripts && npm run validate:promotion-gatekeeper && npm run validate:install-coverage && npm run validate:maestro-routing && npm run validate:plugin-manifest && npm run validate:kiro-powers && npm run validate:multi-harness-marketplace && npm run validate:codex-marketplace && npm run validate:finops-fixtures && npm run validate:readme-counts && npm run validate:qa-cluster
validate:agent-schemapython3 tests/validate-agent-frontmatter-schema.py
validate:allowed-toolspython3 tests/validate-skill-allowed-tools.py
validate:asset-integritypython3 tests/validate-asset-integrity.py
validate:awspython3 tests/validate-aws-skill-quality.py && python3 tests/validate-aws-progressive-disclosure.py
validate:catalogpython3 tests/validate-catalog.py
validate:codex-marketplacepython3 tests/validate-codex-marketplace.py
validate:finops-fixturespython3 tests/validate-finops-price-fixtures.py
validate:install-coveragenode tests/test-vfa-export-coverage.test.mjs
validate:kiro-powerspython3 tests/validate-kiro-powers.py
validate:linkspython3 tests/validate-links.py --offline
…and 9 more.