PkgRadar

Package evidence

@treasuredata/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
813
Versions published
245Established · −30% score
First published
Nov 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@treasuredata/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@treasuredata/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,292,071
Previous version2026.4.55
Published2026-05-26T23:33:23.781Z
SHA-2565c142b60ceb856f915ef2a51dc19e3685ef832025e7fd9ef891bb1e307d0a82f

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
2026.5.0Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

27 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/dist/commands/agent-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/agent-test-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/sdk/agent/agent-yaml.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/auth-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/cas-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/claude-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/cli.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/connection-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/engage-campaign-push-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/engage-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/engage-template-push-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/sdk/engage.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/sdk/query/index.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/sdk/workspace/index.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/journey-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/sdk/segment/journey-validator.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/llm-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/parent-segment-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/proxy/passthrough-server.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/profile-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/schedule-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/segment-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/segment-pull-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/segment-push-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/mcp/server.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/use-command.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/commands/workflow-command.jshigh encoded/escaped-token density12

Manifest

Package metadata

Scripts27
  • buildpnpm run build:ts && pnpm run build:obfuscate
  • build:infonode scripts/generate-build-info.mjs
  • build:installpnpm run build:ts && pnpm link --global
  • build:obfuscatejavascript-obfuscator ./dist --output ./dist
  • build:tspnpm run build:info && tsc && chmod +x dist/bin.js && cp src/build-info.json dist/build-info.json && cp -r src/sdk/workspace/builtin-schedules dist/sdk/workspace/builtin-schedules && node -e "require('fs').copyFileSync('dist/bin.js','dist/tdx')"
  • design-notesnode scripts/generate-design-notes-sidebar.mjs
  • devtsx src/bin.ts
  • docs:buildpnpm run typedoc && pnpm run design-notes && pnpm --filter tdx-docs docs:build
  • docs:devpnpm run typedoc && pnpm run design-notes && pnpm --filter tdx-docs docs:dev
  • docs:previewpnpm --filter tdx-docs docs:preview
  • formatprettier --write "src/**/*.ts"
  • format:checkprettier --check "src/**/*.ts"
  • ios:generatecd ios && xcodegen generate
  • linteslint src --ext .ts
  • preparelefthook install || echo 'lefthook not installed, skipping hooks'
  • prepublishOnlypnpm run build
  • promotescripts/promote-release.sh
  • releasescripts/prepare-release.sh
  • studiopnpm install && pnpm --filter @treasuredata/tdx-studio dev
  • studio:devpnpm --filter @treasuredata/tdx-studio dev
  • studio:installpnpm install
  • testvitest src/
  • test:buildvitest run tests/cli-validation/
  • test:coveragevitest --coverage src/
  • test:integrationvitest --run tests/
  • typechecktsc --noEmit
  • typedoctypedoc
Dependencies19
  • @fastify/cors^11.1.0
  • @modelcontextprotocol/sdk^1.25.2
  • @napi-rs/keyring^1.2.0
  • @types/json-bigint^1.0.4
  • chalk^5.3.0
  • cli-table3^0.6.5
  • commander^14.0.2
  • dotenv^17.2.3
  • fastify^5.2.0
  • ignore^7.0.5
  • json-bigint^1.0.0
  • ora^9.0.0
  • prompts^2.4.2
  • semver^7.8.1
  • string-width^8.1.0
  • tar^7.5.2
  • undici^8.0.0
  • yaml^2.8.2
  • zod^4.3.5