Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 492
- Versions published
- 88
- First published
- Apr 2026
- Publisher
- softspark
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@softspark/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@softspark/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 12 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/app/hooks/governance-capture.sh | matched "curl " | 12 |
Manifest
Package metadata
Scripts26
benchmark:ecosystempython3 scripts/benchmark_ecosystem.py --offlinebenchmark:harvestpython3 scripts/harvest_ecosystem.py --offlineecosystem:doctorpython3 scripts/ecosystem_doctor.py --format textecosystem:doctor:offlinepython3 scripts/ecosystem_doctor.py --offline --format textecosystem:doctor:updatepython3 scripts/ecosystem_doctor.py --updateevaluatepython3 scripts/evaluate_skills.pygenerate:agentspython3 scripts/generate_agents_md.py > AGENTS.mdgenerate:aiderpython3 scripts/generate_aider_conf.py > .aider.conf.ymlgenerate:allnpm run generate:language-rules && npm run generate:agents && npm run generate:opencode-agents && npm run generate:opencode-commands && npm run generate:cursor && npm run generate:cursor-mdc && npm run generate:windsurf && npm run generate:windsurf-rules && npm run generate:copilot && npm run generate:gemini && npm run generate:cline && npm run generate:roo && npm run generate:roo-rules && npm run generate:aider && npm run generate:augment-rules && npm run generate:llmsgenerate:augment-rulespython3 scripts/generate_augment_rules.py .generate:clinepython3 scripts/generate_cline_rules.py .generate:copilotpython3 scripts/generate_copilot.py > .github/copilot-instructions.mdgenerate:cursorpython3 scripts/generate_cursor_rules.py > .cursorrulesgenerate:cursor-mdcpython3 scripts/generate_cursor_mdc.py .generate:geminipython3 scripts/generate_gemini.py > GEMINI.mdgenerate:language-rulespython3 scripts/generate_language_rules_skills.pygenerate:llmspython3 scripts/generate_llms_txt.py > llms.txt && python3 scripts/generate_llms_txt.py --full > llms-full.txtgenerate:opencode-agentspython3 scripts/generate_opencode_agents.py .generate:opencode-commandspython3 scripts/generate_opencode_commands.py .generate:roopython3 scripts/generate_roo_modes.py > .roomodesgenerate:roo-rulespython3 scripts/generate_roo_rules.py .generate:windsurfpython3 scripts/generate_windsurf.py > .windsurfrulesgenerate:windsurf-rulespython3 scripts/generate_windsurf_rules.py .prepublishOnlynpm run generate:all && python3 scripts/validate.py --strict && npm testtestbats tests/ --jobs 4 --no-parallelize-within-filesvalidatepython3 scripts/validate.py