Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 681
- Versions published
- 236
- First published
- Feb 2026
- Publisher
- symerian
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@symerian/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2223064 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 75 · status changed
Evidence
Static findings
13 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/pi-embedded-V-5MAZNb.js | 2223064 bytes | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-C7BRCFJF.js | 2225037 bytes | 10 |
Show all 13 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/pi-embedded-V-5MAZNb.js | 2223064 bytes | 10 |
| medium | Large Javascript Payload | package/dist/unified-runner-C7BRCFJF.js | 2225037 bytes | 10 |
| low | Credential file access | package/dist/manager-DM2oPS8M.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/manager-NDn8AFhr.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-1EAQvYRv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-auth-Byr7Gic_.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/models-config-B5Xxy-c-.js | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/models-config-CiR_RUxw.js | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/onboard-custom-BcRYreNG.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/onboard-custom-CfKvdcJ5.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/server-methods-6-10RyMD.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/server-methods-Bdz-OwQ4.js | matched ".ssh" | 5 |
| low | Credential file access | package/extensions/msteams/src/attachments.test.ts | matched ".azure" | 5 |
Manifest
Package metadata
Scripts85
android:assemblecd apps/android && ./gradlew :app:assembleDebugandroid:installcd apps/android && ./gradlew :app:installDebugandroid:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.symi.android/.MainActivityandroid:testcd apps/android && ./gradlew :app:testDebugUnitTestbuildpnpm canvas:a2ui:bundle && tsdown && pnpm build:plugin-sdk:dts && node --import tsx scripts/write-plugin-sdk-entry-dts.ts && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/copy-export-html-templates.ts && node --import tsx scripts/write-build-info.ts && pnpm ui:buildbuild:plugin-sdk:dtstsc -p tsconfig.plugin-sdk.dts.jsoncanvas:a2ui:bundlebash scripts/bundle-a2ui.shcheckpnpm format:check && pnpm tsgo && pnpm lintcheck:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-linkscheck:locnode --import tsx scripts/check-ts-max-loc.ts --max 500deadcode:cipnpm deadcode:report:ci:knip && pnpm deadcode:report:ci:ts-prune && pnpm deadcode:report:ci:ts-unuseddeadcode:knippnpm dlx knip --no-progressdeadcode:reportpnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unuseddeadcode:report:ci:knipmkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || truedeadcode:report:ci:ts-prunemkdir -p .artifacts/deadcode && pnpm deadcode:ts-prune > .artifacts/deadcode/ts-prune.txt 2>&1 || truedeadcode:report:ci:ts-unusedmkdir -p .artifacts/deadcode && pnpm deadcode:ts-unused > .artifacts/deadcode/ts-unused-exports.txt 2>&1 || truedeadcode:ts-prunepnpm dlx ts-prune src extensions scriptsdeadcode:ts-unusedpnpm dlx ts-unused-exports tsconfig.json --ignoreTestFiles --exitWithCountdevnode scripts/run-node.mjsdocs:binnode scripts/build-docs-list.mjsdocs:check-linksnode scripts/docs-link-audit.mjsdocs:devcd docs && mint devdocs:listnode scripts/docs-list.jsdocs:spellcheckbash scripts/docs-spellcheck.shdocs:spellcheck:fixbash scripts/docs-spellcheck.sh --writeformatoxfmt --writeformat:allpnpm format && pnpm format:swiftformat:checkoxfmt --checkformat:diffoxfmt --write && git --no-pager diffformat:docsgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --write- …and 55 more.
Dependencies48
@agentclientprotocol/sdk0.14.1@aws-sdk/client-bedrock^3.995.0@buape/carbon0.0.0-beta-20260216184201@clack/prompts^1.0.1@homebridge/ciao^1.3.5@lydell/node-pty1.2.0-beta.3@mariozechner/pi-agent-core0.54.0@mariozechner/pi-ai0.54.0@mariozechner/pi-coding-agent0.54.0@mariozechner/pi-tui0.54.0@mozilla/readability^0.6.0@sinclair/typebox0.34.48@slack/bolt^4.6.0@slack/web-api^7.14.1ajv^8.18.0chalk^5.6.2chokidar^5.0.0cli-highlight^2.1.11commander^14.0.3croner^10.0.1docx^9.5.1dotenv^17.3.1exceljs^4.4.0express^5.2.1file-type^21.3.0https-proxy-agent^7.0.6jiti^2.6.1json5^2.2.3jszip^3.10.1linkedom^0.18.12- …and 18 more.