PkgRadar

Package evidence

@verlox/[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
verlox

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@verlox/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@verlox/[email protected]"],"fail_on":"review"}'
Publisherverlox
Artifact bytes2,391,493
Previous versionnone
Published2026-06-15T03:06:41.583Z
SHA-256324a398a1d24cf04648c5c6b70499605488e16485a02e4b277db77991216ed65

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
0.2.0Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts14
  • admintsx ../ops.carinaai.uk/server.ts
  • boundary-checktsx scripts/check-kernel-boundaries.ts
  • buildnode_modules/.bin/tsc && mkdir -p dist/src/security dist/src/web dist/src/skills/hub dist/src/platform && cp src/security/injection-patterns.json dist/src/security/ && cp -r src/web/pricing dist/src/web/ && cp -r src/skills/hub/public dist/src/skills/hub/ && cp src/platform/platform-knowledge.md dist/src/platform/ && node scripts/sync-public-api-dist.mjs
  • build:workspacepnpm build && pnpm --filter @verlox/carina-web build && pnpm --filter @verlox/carina-scout build && pnpm --filter @verlox/pack-property build && pnpm --filter @verlox/pack-health build && pnpm --filter @verlox/pack-borehole-africa build
  • carinatsx bin/carina.ts
  • clitsx src/index.ts
  • devtsx watch src/index.ts
  • hubtsx src/skills/hub/server.ts
  • ingesttsx src/skills/ingestion.ts --pack property-uk
  • startnode dist/src/index.js
  • testvitest run
  • test:pack-contentsbash scripts/test-pack-contents.sh
  • test:smokebash scripts/smoke-install.sh
  • test:watchvitest
Dependencies32
  • @anthropic-ai/sdk^0.100.1
  • @google/generative-ai^0.24.1
  • @inquirer/prompts^7.10.1
  • @slack/bolt^4.6.0
  • @whiskeysockets/baileys7.0.0-rc13
  • bcryptjs^2.4.3
  • better-sqlite3^11.10.0
  • chalk^5.6.2
  • croner^10.0.1
  • discord.js^14.19.3
  • dotenv^17.4.2
  • ejs^3.1.10
  • express^5.2.1
  • express-rate-limit^8.5.2
  • express-session^1.18.0
  • ioredis^5.11.0
  • node-pty^1.1.0
  • node-telegram-bot-api^1.1.0
  • nodemailer^8.0.11
  • openai^6.41.0
  • pg^8.21.0
  • pgvector^0.3.0
  • playwright^1.60.0
  • puppeteer^25.1.0
  • readline-sync^1.4.10
  • resend^6.12.4
  • stripe^20.4.0
  • tsx^4.22.4
  • twilio^5.12.2
  • uuid^14.0.0
  • …and 2 more.