PkgRadar

Package evidence

@smartergpt/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
21Established · −30% score
First published
Nov 2025
Publisher
guffawaffle

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@smartergpt/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@smartergpt/[email protected]"],"fail_on":"review"}'
Publisherguffawaffle
Artifact bytes572,914
Previous version2.5.1
Published2026-04-12T17:53:17.822Z
SHA-2564d5ef4180fa42438ff378a9f14012fa27fe7dedcbcec4e696c605c9fb94d933b

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
2.7.0Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/memory/mcp_server/auth/github-provider.jsmatched "GITHUB_TOKEN"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"if (process.env.npm_config_global === 'true' || !process.cwd().includes('node_modules')) { console.log('\\n📦 Lex installed! Run \\\"npx lex init\\\" to set up your workspace.\\n'); }\""5

Manifest

Package metadata

Scripts45
  • buildtsc -b tsconfig.build.json
  • changesetchangeset
  • check-sqlitenpx tsx scripts/check-sqlite-bindings.ts
  • check:coveragec8 --check-coverage --branches 60 --functions 60 --lines 60 --statements 60 npm test
  • check:release-driftnode scripts/check-release-drift.mjs
  • cinpm run lint && npm run type-check && npm test && npm run build
  • ci:fullnpm run lint && npm run type-check && npm test && npm run test:integration && npm run build && npm run guard:pack
  • ci:minimalnpm run lint && npm run type-check
  • cleantsc -b tsconfig.build.json --clean && rimraf dist prompts schemas
  • copy-canonnode scripts/copy-canon.js
  • coveragec8 -r text -r lcov npm test
  • formatprettier --write "**/*.{ts,tsx,js,jsx,json,md}"
  • format:checkprettier --check "**/*.{ts,tsx,js,jsx,json,md}"
  • generate:test-framesnode scripts/generate-test-frames.mjs
  • guard:no-js-srcnode ./scripts/check-no-js-in-src.mjs
  • guard:packnode scripts/create-pack-json.js && node scripts/pack-guard.js && rm pack.json *.tgz
  • linteslint .
  • lint:baseline:checknpx eslint . --format=json 2>&1 | grep -v '^>' > current-lint.json && node scripts/lint-budget.mjs current-lint.json lint-baseline.json && rm current-lint.json
  • lint:baseline:updatenpx eslint . --format=json 2>&1 | grep -v '^>' > lint-baseline.json && echo 'Baseline updated. Please commit lint-baseline.json.'
  • lint:fixeslint . --fix
  • local-cinpm run ci
  • local-ci:nonet./scripts/ci-nonet.sh
  • postbuildchmod +x dist/shared/cli/lex.js && npm run copy-canon
  • postinstallnode -e "if (process.env.npm_config_global === 'true' || !process.cwd().includes('node_modules')) { console.log('\n📦 Lex installed! Run \"npx lex init\" to set up your workspace.\n'); }"
  • prepacknpm run build
  • preparehusky
  • prompts:lintnode scripts/lint-prompts.js
  • rebuild-sqlitenpm rebuild better-sqlite3-multiple-ciphers
  • releasenpm run build && changeset publish
  • setup-local./scripts/setup-local.sh
  • …and 15 more.
Dependencies20
  • @smartergpt/lex^2.0.3
  • @types/express^5.0.5
  • @types/jsonwebtoken^9.0.10
  • axios^1.13.2
  • better-sqlite3-multiple-ciphers^12.6.2
  • commander^14.0.2
  • express^5.1.0
  • express-rate-limit^8.2.1
  • glob^13.0.0
  • helmet^8.1.0
  • inquirer^13.1.0
  • jsonwebtoken^9.0.2
  • minimatch^10.1.1
  • pino^10.1.0
  • sharp^0.34.5
  • shiki^3.20.0
  • typescript^5.9.3
  • uuid^13.0.0
  • yaml^2.8.1
  • zod^4.1.12
Optional dependencies1
  • pino-pretty^13.1.2