Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 4
- First published
- May 2026
- Publisher
- ratelworks
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation: matched "\\u0000"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 3 · status available -> available, risk high -> review, score 67 -> 3
- new → available · risk high · score 67 · status changed
Related candidates
Linked campaigns and clusters
Install Lifecycle Suppresses Failure — prepare="git config core.hookspath .githooks 2>/dev/null || true"
10 members · evidence strength 83Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Obfuscation | package/build/lib/safety-report-storage.js | matched "\\u0000" | 3 |
Manifest
Package metadata
Scripts73
audittsx scripts/audit/audit-graph-health.ts && tsx scripts/audit/legal-coverage-audit.tsaudit:blocker-contracttsx scripts/audit/audit-blocker-contract.tsaudit:criticaltsx scripts/audit/audit-graph-health.ts --strict --criticalaudit:expandtsx scripts/audit/audit-jsonld-expand.tsaudit:graph-v2tsx scripts/audit/audit-ontology-v2.tsaudit:kosha-gapstsx scripts/audit/audit-kosha-guide-gaps.tsaudit:master-cycle-drifttsx scripts/audit/audit-master-cycle-drift.tsaudit:stricttsx scripts/audit/audit-graph-health.ts --strictauto-improvetsx scripts/quality/auto-improve.tsbuildtsc && tsx scripts/build/copy-ontology-assets.ts && tsx scripts/build/generate-inventory.ts && tsx scripts/build/sync-docs.ts && node -e "import('fs').then(fs=>fs.chmodSync('build/cli.js',0o755))"check:allnpm run check:essence && npm run check:lightweightcheck:doc-synctsx scripts/verify/check-doc-code-sync.tscheck:essencetsx scripts/verify/check-essence.tscheck:lightweighttsx scripts/verify/check-lightweight.tsclinode build/cli.jscrawl-koshatsx scripts/sync/crawl-kosha-portal.tsdevtsx src/index.tsdocs:checktsx scripts/build/sync-docs.ts --checkdocs:synctsx scripts/build/sync-docs.tsevaluate-jsonldtsx scripts/verify/evaluate-jsonld.tsexport-rdftsx scripts/ontology/export-rdf.tsform-conformancetsx scripts/verify/form-conformance.tsmcp:a2ui:demonode build/cli.js call render_a2ui_form --inputJson '{"docId":"daily_tbm","format":"jsonl"}'mcp:inspectnpx @modelcontextprotocol/inspector node build/cli.js servemcp:startnode build/cli.js servemcp:test:a2uitsx scripts/test/test-a2ui-workflow.tsmcp:test:allnpm run build && npm run mcp:test:lifecycle && npm run mcp:test:a2ui && npm run mcp:test:scenarios && npm run mcp:test:fillrate:top && npm run mcp:test:graphmcp:test:consistencytsx scripts/test/test-graph-consistency.tsmcp:test:coveragetsx scripts/audit/coverage-report.tsmcp:test:effecttsx scripts/test/test-graph-effect.ts- …and 43 more.
Dependencies5
@modelcontextprotocol/sdk^1.29.0commander^12.1.0fast-xml-parser^5.8.0graphology^0.26.0zod^3.23.8