PkgRadar

Package evidence

@spirit-agent/[email protected]

Credential file access: matched ".aws/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
Jun 2026
Publisher
n123999

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@spirit-agent/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@spirit-agent/[email protected]"],"fail_on":"review"}'
Publishern123999
Artifact bytes362,628
Previous version0.2.1
Published2026-06-17T11:21:48.523Z
SHA-2569b5964674eb090f2e57d57c6839b6849eceb9051dbeac5212c3e0c692ba63ede

Why flagged

What the scanner saw

Credential file access: matched ".aws/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.2.2Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/bedrock-mantle.jsmatched ".aws/"5
lowCredential file accesspackage/dist/bedrock-mantle.test.jsmatched ".aws/"5

Manifest

Package metadata

Scripts10
  • buildnpm --prefix ../agent-core run build && npm run build:tsc
  • build:tsctsc -p tsconfig.json
  • noticenode scripts/gen-notice.mjs
  • notice:productionnode scripts/gen-notice.mjs --production
  • prepublishOnlynpm run build && node ../../scripts/npm/assert-no-file-deps.mjs
  • smoke:lspnpm run build && node dist/smoke/lsp-typescript-smoke.js
  • smoke:openai-models-parsenpm run build && node dist/smoke/openai-models-parse-smoke.js && node --test dist/bedrock-models.test.js dist/google-vertex-endpoints.test.js dist/google-vertex-models.test.js
  • test:lspnpm run build && node --test dist/lsp/providers.test.js dist/lsp/resolve-server.test.js dist/lsp/resolve-server-jdtls.test.js dist/lsp/install.test.js dist/lsp/orchestrator.test.js dist/lsp/ready-providers.test.js dist/lsp/service-probe.test.js dist/lsp/write-append.test.js
  • test:workspace-file-referencesnpm run build && node --test dist/workspace-file-references.test.js
  • typechecknpm --prefix ../agent-core run build && tsc -p tsconfig.json --noEmit
Dependencies10
  • @aws-sdk/client-bedrock^3.1068.0
  • @spirit-agent/core0.2.2
  • fast-glob^3.3.3
  • fflate^0.8.2
  • glob^13.0.6
  • google-auth-library^10.6.1
  • ignore^5.3.2
  • tar^7.5.13
  • vscode-jsonrpc^8.2.1
  • vscode-languageserver-protocol^3.17.5