Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@xdarkicex/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@xdarkicex/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "cURL "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 27 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/index.js | matched "cURL " | 12 |
| medium | Obfuscation Density | package/dist/index.js | high encoded/escaped-token density | 12 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/index.js | matched "cURL " | 12 |
| medium | Obfuscation Density | package/dist/index.js | high encoded/escaped-token density | 12 |
| low | Obfuscation | package/dist/index.js | matched "\\x00" | 3 |
Manifest
Package metadata
Scripts15
benchmark:longmemeval:diagnosenode scripts/longmemeval-diagnose.mjsbenchmark:longmemeval:scorenode scripts/longmemeval-score.mjsbenchmark:session_search_midtsc -p tsconfig.tests.json && OPENCLAW_PROFILE_ASSEMBLE=1 node --test --test-name-pattern="real sidecar mid-sized session search benchmark" .ts-build/test/integration/host-flow.test.jsbuildtsc -p tsconfig.build.json && node scripts/bundle-entrypoint.mjs && mkdir -p dist/proto && cp -rf api/proto/. dist/proto/build:daemonbash scripts/build-daemon.shchecktsc --noEmit && pnpm run test:tsgate:assemble_optimizationtsc -p tsconfig.tests.json && OPENCLAW_PROFILE_ASSEMBLE=1 OPENCLAW_ENFORCE_ASSEMBLE_EVIDENCE_GATE=1 node --test --test-name-pattern="real sidecar mid-sized session search benchmark" .ts-build/test/integration/host-flow.test.jsplugin:checkplugin-inspector inspect --no-openclawplugin:ciplugin-inspector ci --no-openclaw --runtime --mock-sdk --allow-executeprepacknpm run buildprobe:session_recalltsc -p tsconfig.tests.json && OPENCLAW_PROFILE_ASSEMBLE=1 node --test --test-name-pattern="real sidecar mid-sized session search benchmark" .ts-build/test/integration/host-flow.test.jsprobe:session_recall_thresholdtsc -p tsconfig.tests.json && OPENCLAW_PROFILE_ASSEMBLE=1 node --test --test-name-pattern="real sidecar session_recall index threshold probe" .ts-build/test/integration/host-flow.test.jstest:inspectpnpm run plugin:citest:integrationpnpm run test:inspect && tsc -p tsconfig.tests.json && node --test .ts-build/test/integration/checklist-validation.test.js .ts-build/test/integration/dream-promotion.test.js .ts-build/test/integration/host-flow.test.js .ts-build/test/integration/markdown-ingest.test.jstest:tspnpm run test:inspect && tsc -p tsconfig.tests.json && node --test .ts-build/test/unit/*.test.js
Dependencies3
@connectrpc/connect^1.7.0@connectrpc/connect-node^1.7.0@xdarkicex/libravdb-contracts^0.3.0