PkgRadar

Package evidence

@swarmclawai/[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
570
Versions published
180
First published
Feb 2026
Publisher
waydelyle

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@swarmclawai/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@swarmclawai/[email protected]"],"fail_on":"review"}'
Publisherwaydelyle
Artifact bytes4,448,298
Previous version1.9.38
Published2026-06-11T14:14:52.280Z
SHA-25656a92b5c847085e15517899f818620f7da039c1d139deb597c097649d0822091

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
1.9.39Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/lib/server/session-tools/index.tsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node ./scripts/postinstall.mjs"5

Manifest

Package metadata

Scripts39
  • benchmark:agent-regressionnode --import tsx ./scripts/run-agent-regression-suite.ts
  • benchmark:autonomynode ./scripts/benchmark-autonomy-harness.mjs
  • buildnode ./scripts/run-next-build.mjs
  • build:ciNEXT_DISABLE_ESLINT=1 node ./scripts/run-next-build.mjs
  • clinode ./bin/swarmclaw.js
  • devnext dev --turbopack --hostname 0.0.0.0 -p 3456
  • dev:cleanrm -rf .next && next dev --turbopack --hostname 0.0.0.0 -p 3456
  • dev:webpacknext dev --webpack --hostname 0.0.0.0 -p 3456
  • electron:buildnode ./scripts/build-electron.mjs
  • electron:build:linuxnode ./scripts/build-electron.mjs --linux
  • electron:build:macnode ./scripts/build-electron.mjs --mac
  • electron:build:publishnode ./scripts/build-electron.mjs --publish
  • electron:build:winnode ./scripts/build-electron.mjs --win
  • electron:compiletsc -p electron/tsconfig.json
  • electron:devnpm run electron:compile && electron electron-dist/main.js
  • formateslint --fix
  • linteslint
  • lint:baselinenode ./scripts/lint-baseline.mjs check
  • lint:baseline:updatenode ./scripts/lint-baseline.mjs update
  • lint:fixeslint --fix
  • postinstallnode ./scripts/postinstall.mjs
  • prepacknpm run build:ci
  • quickstartnode ./scripts/easy-setup.mjs --start
  • quickstart:prodnode ./scripts/easy-setup.mjs --prod
  • sandbox:build:browserdocker build -f Dockerfile.sandbox-browser -t swarmclaw-sandbox-browser:bookworm-slim .
  • setup:easynode ./scripts/easy-setup.mjs
  • startnode .next/standalone/server.js
  • start:standalonenode .next/standalone/server.js
  • testnpm run test:cli && npm run test:setup && npm run test:openclaw && npm run test:runtime && npm run test:builder
  • test:buildertsx --test src/features/protocols/builder/utils/builder-template-access.test.ts src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts
  • …and 9 more.
Dependencies76
  • @huggingface/transformers^3.8.1
  • @langchain/anthropic^1.3.18
  • @langchain/core^1.1.31
  • @langchain/langgraph^1.2.2
  • @langchain/openai^1.2.8
  • @modelcontextprotocol/sdk^1.29.0
  • @multiavatar/multiavatar^1.0.7
  • @opentelemetry/api^1.9.1
  • @opentelemetry/exporter-trace-otlp-http^0.214.0
  • @opentelemetry/sdk-node^0.214.0
  • @playwright/mcp^0.0.68
  • @slack/bolt^4.6.0
  • @swarmdock/sdk^0.5.3
  • @tailwindcss/postcss^4
  • @tanstack/react-query^5.91.0
  • @types/better-sqlite3^7.6.13
  • @types/dagre^0.7.54
  • @types/mailparser^3.4.6
  • @types/mime-types^2.1.4
  • @types/node^20
  • @types/nodemailer^7.0.11
  • @types/qrcode^1.5.6
  • @types/react^19
  • @types/react-dom^19
  • @types/ws^8.18.1
  • @whiskeysockets/baileys^7.0.0-rc.9
  • @xyflow/react^12.10.2
  • @xyflow/system^0.0.76
  • better-sqlite3^12.6.2
  • bs58^5.0.0
  • …and 46 more.
Optional dependencies5
  • botbuilder^4.23.3
  • googleapis^171.4.0
  • matrix-bot-sdk^0.8.0
  • opusscript0.0.8
  • utf-8-validate5.0.10