PkgRadar

Package evidence

@researchcomputer/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
48
Versions published
9
First published
Apr 2026
Publisher
xzyaoi

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@researchcomputer/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@researchcomputer/[email protected]"],"fail_on":"review"}'
Publisherxzyaoi
Artifact bytes4,252,580
Previous version0.2.0
Published2026-06-16T07:58:08.020Z
SHA-256b8b44f68d30b0ed312801c43eec2a039399d9f525928f63b0067a45b3b5b0d4e

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.2.1Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/cli/args.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/core/auth-storage.jsmatched "AWS_ACCESS_KEY"5
lowObfuscation Densitypackage/npm-shrinkwrap.jsonhigh encoded/escaped-token density0

Manifest

Package metadata

Scripts14
  • buildtsc -p tsconfig.standalone.json && shx chmod +x dist/cli.js && npm run copy-assets
  • build:binarynpm --prefix ../tui run build && npm --prefix ../ai run build && npm --prefix ../agent run build && npm run build && bun build --compile ./dist/bun/cli.js ./src/utils/image-resize-worker.ts --outfile dist/pi && npm run copy-binary-assets
  • build:binary:standalonenpm run build && bun build --compile ./dist/bun/cli.js ./src/utils/image-resize-worker.ts --outfile dist/pi && npm run copy-binary-assets
  • checkbiome ci .
  • cleanshx rm -rf dist
  • copy-assetsshx mkdir -p dist/modes/interactive/theme && shx cp src/modes/interactive/theme/*.json dist/modes/interactive/theme/ && shx mkdir -p dist/modes/interactive/assets && shx cp src/modes/interactive/assets/*.png dist/modes/interactive/assets/ && shx mkdir -p dist/core/export-html/vendor && shx cp src/core/export-html/template.html src/core/export-html/template.css src/core/export-html/template.js dist/core/export-html/ && shx cp src/core/export-html/vendor/*.js dist/core/export-html/vendor/
  • copy-binary-assetsshx cp package.json dist/ && shx cp README.md dist/ && shx cp CHANGELOG.md dist/ && shx mkdir -p dist/theme && shx cp src/modes/interactive/theme/*.json dist/theme/ && shx mkdir -p dist/assets && shx cp src/modes/interactive/assets/*.png dist/assets/ && shx mkdir -p dist/export-html/vendor && shx cp src/core/export-html/template.html dist/export-html/ && shx cp src/core/export-html/vendor/*.js dist/export-html/vendor/ && shx cp -r docs dist/ && shx cp -r examples dist/ && shx cp ./node_modules/@silvia-odwyer/photon-node/photon_rs_bg.wasm dist/
  • devtsgo -p tsconfig.build.json --watch --preserveWatchOutput
  • formatbiome check --write .
  • install:localnpm run build:binary:standalone && mkdir -p ~/.local/share/pista && cp dist/pi ~/.local/share/pista/pista && cp dist/package.json ~/.local/share/pista/ && cp -r dist/theme ~/.local/share/pista/ && cp -r dist/assets ~/.local/share/pista/ && cp -r dist/export-html ~/.local/share/pista/ && mkdir -p ~/.local/bin && ln -sf ~/.local/share/pista/pista ~/.local/bin/pista && echo 'Installed pista to ~/.local/share/pista with symlink in ~/.local/bin/pista' && (echo $PATH | grep -q '\.local/bin' || echo 'WARNING: ~/.local/bin is not in your PATH. Add: export PATH="$HOME/.local/bin:$PATH"')
  • prepublishOnlynpm run clean && npm run build
  • releasenpm test && npm publish
  • startnode dist/cli.js
  • testvitest --run
Dependencies19
  • @earendil-works/pi-tui^0.79.3
  • @mariozechner/pi-agent-core^0.73.1
  • @researchcomputer/agents-sdk^0.2.2
  • @researchcomputer/ai-provider^0.1.0
  • @silvia-odwyer/photon-node^0.3.4
  • chalk^5.6.2
  • cross-spawn^7.0.6
  • diff^9.0.0
  • glob^13.0.6
  • highlight.js^10.7.3
  • hosted-git-info^10.1.1
  • ignore^7.0.5
  • jiti^2.7.0
  • minimatch^10.2.5
  • proper-lockfile^4.1.2
  • semver^7.8.0
  • typebox^1.1.38
  • undici^8.3.0
  • yaml^2.9.0
Optional dependencies1
  • @mariozechner/clipboard0.3.9