Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 46
- First published
- Apr 2026
- Publisher
- cly-org
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@switchbot/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@switchbot/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2861330 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/index.js | 2861330 bytes | 10 |
Manifest
Package metadata
Scripts27
buildnode scripts/build.mjsdevtsx src/index.tshooks:installnode scripts/install-git-hooks.mjslint:mdmarkdownlint "**/*.md"lint:md:changelogmarkdownlint CHANGELOG.mdlint:stdoutbash scripts/lint-stdout.shpreparenode scripts/install-git-hooks.mjsprepublishOnlynpm run verify:release-gatesmoke:claude-code-pack-installnode scripts/smoke-claude-code-pack-install.mjssmoke:codex-git-sparsenode scripts/smoke-codex-git-sparse.mjssmoke:codex-pack-installnode scripts/smoke-codex-pack-install.mjssmoke:codex-temp-prefix-route-anode scripts/smoke-codex-temp-prefix-route-a.mjssmoke:pack-installnode scripts/smoke-pack-install.mjsstartnode dist/index.jstestvitest runtest:allnpm test && npm run test:workspacestest:coveragevitest run --coveragetest:release-smoke:manualnpm test -- tests/commands/policy.test.ts tests/commands/devices.test.ts tests/commands/explain.test.ts tests/commands/doctor.test.ts tests/commands/mcp.test.ts tests/commands/health-check.test.ts tests/commands/quota.test.ts tests/commands/status-sync.test.ts tests/status-sync/smoke.test.ts tests/commands/watch.test.ts tests/commands/events.test.ts tests/devices/catalog-fidelity.test.ts tests/commands/schema.test.ts tests/commands/auth.test.ts tests/commands/config.test.ts tests/commands/scenes.test.ts tests/commands/batch.test.ts tests/commands/history.test.ts tests/commands/expand.test.ts tests/commands/webhook.test.ts tests/commands/daemon.test.ts tests/commands/upgrade-check.test.ts tests/commands/install.test.ts tests/commands/uninstall.test.ts tests/commands/rules.test.ts tests/commands/plan.test.tstest:watchvitesttest:workspacesnpm test --workspaces --if-presenttypechecktsc --noEmittypecheck:allnpm run typecheck && npm run typecheck:workspacestypecheck:workspacesnpm run typecheck --workspaces --if-presentverify:pre-commitnpm run build && npm test -- tests/version.test.ts tests/install/codex-checks.test.ts tests/commands/codex.test.ts && npm run test:workspacesverify:pre-pushnpm run verify:release-gateverify:releasenode scripts/verify-release.mjsverify:release-gatenpm run build && npm test -- tests/version.test.ts tests/install/codex-checks.test.ts tests/commands/codex.test.ts && npm run test:workspaces && npm run smoke:pack-install && npm run smoke:codex-pack-install && npm run smoke:codex-git-sparse && npm run smoke:codex-temp-prefix-route-a && npm run smoke:claude-code-pack-install
Dependencies4
axios^1.7.9mqtt^5.3.0open^10.2.0pino^9.0.0