Package evidence

@raviolelabs/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 3,245Niche · −30% score
Versions published: 27
First published: May 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@raviolelabs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@raviolelabs/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes301,811

Previous version0.6.2

Published2026-05-27T18:20:59.891Z

SHA-256e5ae49d67a89244bf759838b1a7c9f19ef363a8427a8421ec28c410a4c189370

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

3Score

0.6.3Version

Status history (1 event)

new → available16d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/scripts/install-ollama.js	matched "curl "	12

Manifest

Package metadata

Scripts18

buildtsc && chmod +x dist/scripts/serve.js dist/scripts/install.js dist/scripts/pair.js dist/scripts/rebuild.js dist/scripts/service.js dist/scripts/setup-drive.js
build:allnpm run build:client && npm run build
build:clientvite build --config src/client/vite.config.ts
devtsx watch src/scripts/serve.ts
dev:clientvite --config src/client/vite.config.ts
formatprettier --write src/
format:checkprettier --check src/
install:wizardtsx src/scripts/install.ts
linteslint src/
lint:fixeslint src/ --fix
pack-binarytsx scripts/pack-binary.ts
pairtsx src/scripts/pair.ts
rebuildtsx src/scripts/rebuild.ts
reindextsx src/scripts/reindex.ts
setup:drivetsx src/scripts/setup-drive.ts
startnode dist/scripts/serve.js
testvitest run
test:watchvitest

Dependencies24

@lancedb/lancedb0.27.1
@modelcontextprotocol/sdk1.28.0
@notionhq/client2.3.0
@tanstack/react-query5.59.0
@types/multer2.1.0
better-sqlite312.8.0
cytoscape3.33.3
cytoscape-fcose2.2.0
express5.2.1
fast-xml-parser5.8.0
googleapis172.0.0
libsodium-wrappers0.8.4
multer2.1.1
node-cron4.2.1
nodejs-whisper0.2.4
pdf-parse2.4.5
react19.0.0
react-dom19.0.0
react-router-dom7.12.0
secrets.js-grempe2.0.0
ulid2.4.0
undici8.3.0
ws8.21.0
zod3.25.76