Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 320 · status available -> available, risk high -> review, score 1088 -> 320
- new → available · risk high · score 1088 · status changed
Related candidates
Linked campaigns and clusters
symerian
13 members · evidence strength 84Evidence
Static findings
100 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/banner-CY_9VW7E.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/deliver-BiWlR84Y.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/deliver-f3cIWxXT.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-2SUv-W7i.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-BFhHfrt9.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BnNm-DMY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-DHw6muwK.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-CZGTCone.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DjKcZavm.js | matched "cUrl " | 12 |
| medium | Credential file access | package/dist/models-config-CiR_RUxw.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/models-config-DlXge3Sd.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BKejzolA.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-Dhr98nj8.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-B9rtlNMc.js | 2220585 bytes | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-Bgb_Bfp9.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-WLwb6tL4.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-BV5TdNFv.js | 2222520 bytes | 10 |
Show all 100 findings (low-signal and informational)
Showing 60 of 100 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/banner-CY_9VW7E.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/deliver-BiWlR84Y.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/deliver-f3cIWxXT.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-2SUv-W7i.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-BFhHfrt9.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BnNm-DMY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-DHw6muwK.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-CZGTCone.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DjKcZavm.js | matched "cUrl " | 12 |
| medium | Credential file access | package/dist/models-config-CiR_RUxw.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/models-config-DlXge3Sd.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BKejzolA.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-Dhr98nj8.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-B9rtlNMc.js | 2220585 bytes | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-Bgb_Bfp9.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-WLwb6tL4.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-BV5TdNFv.js | 2222520 bytes | 10 |
| low | Credential file access | package/dist/bonjour-discovery-CWTnBKX8.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/bonjour-discovery-XbH0AYJ4.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/gateway-cli-DG_2YZ8B.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/gateway-cli-DgmGygc6.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/manager-Cv4xI8sP.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/manager-V4UCf0Av.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-_C07_3Yr.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-Byr7Gic_.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/onboard-remote-DZdMxd1Q.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/onboard-remote-y3ZmP90U.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/server-methods-CWxr5b-w.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/server-methods-DfVfzYqq.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-CKKGWxWC.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-DHO-Mc6G.js | matched ".ssh" | 5 |
| low | Credential file access | package/extensions/msteams/src/attachments.test.ts | matched ".azure" | 5 |
| low | Obfuscation | package/dist/canvas-host/a2ui/a2ui.bundle.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/agent-DgVWcnlD.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/agent-NT0EKnK_.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/agents.config-CqfMQEiy.js | matched "\\u2013" | 3 |
| low | Obfuscation | package/dist/agents.config-DA0ISLi7.js | matched "\\u2013" | 3 |
| low | Obfuscation | package/dist/control-ui/js/app.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/auth-profiles-BSw0aQND.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/auth-profiles-Bt3PyWkt.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/chrome-38OnGyuN.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-3jl2ulOE.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-D1eO2jfe.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-OTJg3QKn.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/client-CTrfpKT3.js | matched "Buffer.from(padded, \"base64" | 3 |
| low | Obfuscation | package/dist/client-yVTJ5jx5.js | matched "Buffer.from(padded, \"base64" | 3 |
| low | Obfuscation | package/dist/daemon-cli.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/deliver-BiWlR84Y.js | matched "Buffer.from(compact, isUrl ? \"base64url\" : \"base64" | 3 |
| low | Obfuscation | package/dist/deliver-f3cIWxXT.js | matched "Buffer.from(compact, isUrl ? \"base64url\" : \"base64" | 3 |
| low | Obfuscation | package/dist/entry.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/exec-approvals-DEjIocmZ.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/exec-approvals-DioSaIeH.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/bundled/boot-md/handler.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/export-html/vendor/highlight.min.js | matched "\\u00A1" | 3 |
| low | Obfuscation | package/dist/plugin-sdk/index.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/manager-CceVgXHV.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/dist/manager-Cv4xI8sP.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/dist/manager-DG6PODgu.js | matched "\\u4e00" | 3 |
Manifest
Package metadata
Scripts85
android:assemblecd apps/android && ./gradlew :app:assembleDebugandroid:installcd apps/android && ./gradlew :app:installDebugandroid:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.symi.android/.MainActivityandroid:testcd apps/android && ./gradlew :app:testDebugUnitTestbuildpnpm canvas:a2ui:bundle && tsdown && pnpm build:plugin-sdk:dts && node --import tsx scripts/write-plugin-sdk-entry-dts.ts && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/copy-export-html-templates.ts && node --import tsx scripts/write-build-info.ts && pnpm ui:buildbuild:plugin-sdk:dtstsc -p tsconfig.plugin-sdk.dts.jsoncanvas:a2ui:bundlebash scripts/bundle-a2ui.shcheckpnpm format:check && pnpm tsgo && pnpm lintcheck:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-linkscheck:locnode --import tsx scripts/check-ts-max-loc.ts --max 500deadcode:cipnpm deadcode:report:ci:knip && pnpm deadcode:report:ci:ts-prune && pnpm deadcode:report:ci:ts-unuseddeadcode:knippnpm dlx knip --no-progressdeadcode:reportpnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unuseddeadcode:report:ci:knipmkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || truedeadcode:report:ci:ts-prunemkdir -p .artifacts/deadcode && pnpm deadcode:ts-prune > .artifacts/deadcode/ts-prune.txt 2>&1 || truedeadcode:report:ci:ts-unusedmkdir -p .artifacts/deadcode && pnpm deadcode:ts-unused > .artifacts/deadcode/ts-unused-exports.txt 2>&1 || truedeadcode:ts-prunepnpm dlx ts-prune src extensions scriptsdeadcode:ts-unusedpnpm dlx ts-unused-exports tsconfig.json --ignoreTestFiles --exitWithCountdevnode scripts/run-node.mjsdocs:binnode scripts/build-docs-list.mjsdocs:check-linksnode scripts/docs-link-audit.mjsdocs:devcd docs && mint devdocs:listnode scripts/docs-list.jsdocs:spellcheckbash scripts/docs-spellcheck.shdocs:spellcheck:fixbash scripts/docs-spellcheck.sh --writeformatoxfmt --writeformat:allpnpm format && pnpm format:swiftformat:checkoxfmt --checkformat:diffoxfmt --write && git --no-pager diffformat:docsgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --write- …and 55 more.
Dependencies48
@agentclientprotocol/sdk0.14.1@aws-sdk/client-bedrock^3.995.0@buape/carbon0.0.0-beta-20260216184201@clack/prompts^1.0.1@homebridge/ciao^1.3.5@lydell/node-pty1.2.0-beta.3@mariozechner/pi-agent-core0.54.0@mariozechner/pi-ai0.54.0@mariozechner/pi-coding-agent0.54.0@mariozechner/pi-tui0.54.0@mozilla/readability^0.6.0@sinclair/typebox0.34.48@slack/bolt^4.6.0@slack/web-api^7.14.1ajv^8.18.0chalk^5.6.2chokidar^5.0.0cli-highlight^2.1.11commander^14.0.3croner^10.0.1docx^9.5.1dotenv^17.3.1exceljs^4.4.0express^5.2.1file-type^21.3.0https-proxy-agent^7.0.6jiti^2.6.1json5^2.2.3jszip^3.10.1linkedom^0.18.12- …and 18 more.