Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 320 · status available -> available, risk high -> review, score 1088 -> 320
- new → available · risk high · score 1088 · status changed
Evidence
Static findings
100 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/banner-B5Hv4rlk.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/deliver-BiWlR84Y.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/deliver-f3cIWxXT.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-Bjf7kWvg.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-uO7HZwjc.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-1sCVaPcF.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BnNm-DMY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-BkznAPKO.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DjKcZavm.js | matched "cUrl " | 12 |
| medium | Credential file access | package/dist/models-config-B5Xxy-c-.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/models-config-CiR_RUxw.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-7IGQ8nAM.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-t7tI9KSA.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-DdoLFoXg.js | 2223083 bytes | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-BCejcf5o.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-BdvW7eau.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-H3Qh_NZO.js | 2225018 bytes | 10 |
Show all 100 findings (low-signal and informational)
Showing 60 of 100 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/banner-B5Hv4rlk.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/deliver-BiWlR84Y.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/deliver-f3cIWxXT.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/export-html/vendor/highlight.min.js | matched "wget " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-Bjf7kWvg.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-uO7HZwjc.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-1sCVaPcF.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BnNm-DMY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-BkznAPKO.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DjKcZavm.js | matched "cUrl " | 12 |
| medium | Credential file access | package/dist/models-config-B5Xxy-c-.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/models-config-CiR_RUxw.js | matched "GITHUB_TOKEN" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-7IGQ8nAM.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-t7tI9KSA.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-DdoLFoXg.js | 2223083 bytes | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-BCejcf5o.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/provider-auth-helpers-BdvW7eau.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-H3Qh_NZO.js | 2225018 bytes | 10 |
| low | Credential file access | package/dist/bonjour-discovery-CWTnBKX8.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/bonjour-discovery-XbH0AYJ4.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/gateway-cli-Bo80TSkq.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/gateway-cli-BVpyqk_H.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/manager-DogrTmEo.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/manager-fgUC_sHR.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-1EAQvYRv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-Byr7Gic_.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/onboard-remote-DH3bPYbE.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/onboard-remote-Dr75eqOQ.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/server-methods-6-10RyMD.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/server-methods-Bdz-OwQ4.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-CKKGWxWC.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-DHO-Mc6G.js | matched ".ssh" | 5 |
| low | Credential file access | package/extensions/msteams/src/attachments.test.ts | matched ".azure" | 5 |
| low | Obfuscation | package/dist/canvas-host/a2ui/a2ui.bundle.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/agent-BsRYHa15.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/agent-TRt_SsAW.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/agents.config-B7sNDvhz.js | matched "\\u2013" | 3 |
| low | Obfuscation | package/dist/agents.config-CqfMQEiy.js | matched "\\u2013" | 3 |
| low | Obfuscation | package/dist/control-ui/js/app.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/auth-profiles-BSw0aQND.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/auth-profiles-Bt3PyWkt.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/chrome-3jl2ulOE.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-D1eO2jfe.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-DJChpTwP.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-OTJg3QKn.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/client-BOd5o3Kp.js | matched "Buffer.from(padded, \"base64" | 3 |
| low | Obfuscation | package/dist/client-DH75FlQF.js | matched "Buffer.from(padded, \"base64" | 3 |
| low | Obfuscation | package/dist/daemon-cli.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/deliver-BiWlR84Y.js | matched "Buffer.from(compact, isUrl ? \"base64url\" : \"base64" | 3 |
| low | Obfuscation | package/dist/deliver-f3cIWxXT.js | matched "Buffer.from(compact, isUrl ? \"base64url\" : \"base64" | 3 |
| low | Obfuscation | package/dist/entry.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/exec-approvals-DEjIocmZ.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/exec-approvals-DioSaIeH.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/bundled/boot-md/handler.js | matched "Buffer.from(image.data, \"base64" | 3 |
| low | Obfuscation | package/dist/export-html/vendor/highlight.min.js | matched "\\u00A1" | 3 |
| low | Obfuscation | package/dist/plugin-sdk/index.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/manager-CL767Sv9.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/dist/manager-DogrTmEo.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/dist/manager-fgUC_sHR.js | matched "\\u4e00" | 3 |
Manifest
Package metadata
Scripts85
android:assemblecd apps/android && ./gradlew :app:assembleDebugandroid:installcd apps/android && ./gradlew :app:installDebugandroid:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.symi.android/.MainActivityandroid:testcd apps/android && ./gradlew :app:testDebugUnitTestbuildpnpm canvas:a2ui:bundle && tsdown && pnpm build:plugin-sdk:dts && node --import tsx scripts/write-plugin-sdk-entry-dts.ts && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/copy-export-html-templates.ts && node --import tsx scripts/write-build-info.ts && pnpm ui:buildbuild:plugin-sdk:dtstsc -p tsconfig.plugin-sdk.dts.jsoncanvas:a2ui:bundlebash scripts/bundle-a2ui.shcheckpnpm format:check && pnpm tsgo && pnpm lintcheck:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-linkscheck:locnode --import tsx scripts/check-ts-max-loc.ts --max 500deadcode:cipnpm deadcode:report:ci:knip && pnpm deadcode:report:ci:ts-prune && pnpm deadcode:report:ci:ts-unuseddeadcode:knippnpm dlx knip --no-progressdeadcode:reportpnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unuseddeadcode:report:ci:knipmkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || truedeadcode:report:ci:ts-prunemkdir -p .artifacts/deadcode && pnpm deadcode:ts-prune > .artifacts/deadcode/ts-prune.txt 2>&1 || truedeadcode:report:ci:ts-unusedmkdir -p .artifacts/deadcode && pnpm deadcode:ts-unused > .artifacts/deadcode/ts-unused-exports.txt 2>&1 || truedeadcode:ts-prunepnpm dlx ts-prune src extensions scriptsdeadcode:ts-unusedpnpm dlx ts-unused-exports tsconfig.json --ignoreTestFiles --exitWithCountdevnode scripts/run-node.mjsdocs:binnode scripts/build-docs-list.mjsdocs:check-linksnode scripts/docs-link-audit.mjsdocs:devcd docs && mint devdocs:listnode scripts/docs-list.jsdocs:spellcheckbash scripts/docs-spellcheck.shdocs:spellcheck:fixbash scripts/docs-spellcheck.sh --writeformatoxfmt --writeformat:allpnpm format && pnpm format:swiftformat:checkoxfmt --checkformat:diffoxfmt --write && git --no-pager diffformat:docsgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --write- …and 55 more.
Dependencies48
@agentclientprotocol/sdk0.14.1@aws-sdk/client-bedrock^3.995.0@buape/carbon0.0.0-beta-20260216184201@clack/prompts^1.0.1@homebridge/ciao^1.3.5@lydell/node-pty1.2.0-beta.3@mariozechner/pi-agent-core0.54.0@mariozechner/pi-ai0.54.0@mariozechner/pi-coding-agent0.54.0@mariozechner/pi-tui0.54.0@mozilla/readability^0.6.0@sinclair/typebox0.34.48@slack/bolt^4.6.0@slack/web-api^7.14.1ajv^8.18.0chalk^5.6.2chokidar^5.0.0cli-highlight^2.1.11commander^14.0.3croner^10.0.1docx^9.5.1dotenv^17.3.1exceljs^4.4.0express^5.2.1file-type^21.3.0https-proxy-agent^7.0.6jiti^2.6.1json5^2.2.3jszip^3.10.1linkedom^0.18.12- …and 18 more.