Package evidence

@takocode/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 11
First published: May 2026
Publisher: webetter-ai

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@takocode/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@takocode/[email protected]"],"fail_on":"review"}'

Publisherwebetter-ai

Artifact bytes32,807,679

Previous version2.6.9

Published2026-05-27T02:31:54.496Z

SHA-256d00568da056e90ea5a566307d42ca2ec9b6338cf054f1fa0a4198ebb14a21899

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

14d agoLast checked

reviewRisk

55Score

2.6.10Version

Status history (2 events)

available → available14d ago · risk review · score 55 · status available -> available, risk high -> review, score 163 -> 55
new → available17d ago · risk high · score 163 · status changed

Evidence

Static findings

15 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 15 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/chunk-2684zapm.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-62fjkf5q.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-67pvvsfb.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-j5ve5y3z.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-jdqp0r4h.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-qn6me9n1.js	matched "AWS_SECRET_ACCESS_KEY"	5
low	Credential file access	package/dist/chunk-r7yw38vf.js	matched ".npmrc"	5
low	Credential file access	package/dist/chunk-spxrf6ms.js	matched "aws_access_key"	5
low	Credential file access	package/dist/chunk-ss7x4wre.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/chunk-stb88x8v.js	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	postinstall="node scripts/run-parallel.mjs scripts/postinstall.cjs scripts/setup-chrome-mcp.mjs"	5
low	Obfuscation Density	package/dist/chunk-1he3944e.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/chunk-ch92ycde.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/dist/chunk-qtermy1x.js	8606738 bytes	0
low	Obfuscation Density	package/dist/chunk-vjdth0zx.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts27

buildbun run build.ts
build:bunbun run build.ts
build:vitevite build && bun run scripts/post-build.ts
build:vite:onlyvite build
checkbiome check .
check:bundlebun run scripts/check-bundle-integrity.ts
check:fixbiome check --fix .
check:unusedknip-bun
devbun run scripts/dev.ts
dev:inspectbun run scripts/dev-debug.ts
docs:devnpx mintlify dev
formatbiome format --write .
healthbun run scripts/health-check.ts
lintbiome lint .
lint:fixbiome lint --fix .
postinstallnode scripts/run-parallel.mjs scripts/postinstall.cjs scripts/setup-chrome-mcp.mjs
precheckbun run typecheck && bun run check:fix && bun test
preparehusky
prepublishOnlybun run build
rcsbun run scripts/rcs.ts
setup:all-platformsnode scripts/setup-all-platforms.cjs
testbun test
test:productionbun run scripts/production-test.ts
test:production:bunbun run scripts/production-test.ts --bun
test:production:offlinebun run scripts/production-test.ts --offline
test:production:verbosebun run scripts/production-test.ts --verbose
typechecktsc --noEmit

Dependencies4

@agentclientprotocol/sdk^0.19.0
@claude-code-best/mcp-chrome-bridge^3.0.1
highlight.js^11.11.1
ws^8.20.0

Optional dependencies1

doubaoime-asr^0.1.0