PkgRadar

Package evidence

[email protected]

Remote Payload: matched "api.telegram.org/bot"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
702
Versions published
17
First published
May 2026
Publisher
shingoirie

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishershingoirie
Artifact bytes780,026
Previous version0.1.20
Published2026-06-01T05:49:54.084Z
SHA-2560239963e2d6d3cfc0cbbfb3b4225a45ecd4dffe06a167344832a3fe779713c58

Why flagged

What the scanner saw

Remote Payload: matched "api.telegram.org/bot"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
29Score
0.1.21Version
Status history (1 event)
  1. newavailable · risk review · score 29 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/index.jsmatched "api.telegram.org/bot"12
mediumRemote Payloadpackage/install.shmatched "curl "12
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/index.jsmatched "api.telegram.org/bot"12
mediumRemote Payloadpackage/install.shmatched "curl "12
lowMessenger Bot Endpointpackage/dist/cli/index.jsmatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5

Manifest

Package metadata

Scripts19
  • buildnode scripts/build-dist.mjs
  • demonpm run build && node scripts/local-cli.mjs setup && node scripts/local-cli.mjs run memo-save --text test-memo
  • pack:checknpm pack --dry-run
  • prepacknpm run build
  • release:checknpm test && npm run test:compat && npm run test:release && npm run pack:check
  • setupnpm ci --include=dev && npm run build && node scripts/local-cli.mjs setup
  • setup:globalnpm ci --include=dev && npm run build && npm link && agent-sin setup && agent-sin service install
  • smoke:providersnpm run build && node scripts/smoke-providers.mjs
  • startnpm run build && node scripts/local-cli.mjs chat
  • testnpm run build && npm run test:latest:built
  • test:all:builtnode --test tests/*.test.mjs
  • test:channelsnpm run build && node --test tests/discord-bot.test.mjs tests/discord-slash-invocation.test.mjs tests/telegram-bot.test.mjs tests/telegram-notification-log.test.mjs
  • test:compatnpm run build && npm run test:compat:built
  • test:compat:builtnode --test --test-name-pattern '^compat:' tests/builtin-skills.test.mjs tests/conversation-runtime.test.mjs tests/ctx-history.test.mjs tests/memo-migration.test.mjs tests/models-yaml-template.test.mjs tests/transfer.test.mjs
  • test:conversationnpm run build && node --test --test-skip-pattern '^compat:' tests/conversation-runtime.test.mjs tests/chat-multimodal.test.mjs
  • test:corenpm run build && node --test --test-skip-pattern '^compat:' tests/ai-provider.test.mjs tests/image-attachments.test.mjs tests/models-yaml-template.test.mjs tests/update-notifier.test.mjs
  • test:latest:builtnode --test --test-skip-pattern '^compat:' tests/ai-provider.test.mjs tests/builtin-skills.test.mjs tests/chat-multimodal.test.mjs tests/conversation-runtime.test.mjs tests/ctx-history.test.mjs tests/ctx-notify.test.mjs tests/discord-bot.test.mjs tests/discord-slash-invocation.test.mjs tests/image-attachments.test.mjs tests/memo-flat-structure.test.mjs tests/models-yaml-template.test.mjs tests/nightly-topic-knowledge.test.mjs tests/skill-outputs.test.mjs tests/telegram-bot.test.mjs tests/telegram-notification-log.test.mjs tests/update-notifier.test.mjs
  • test:releasenpm run build && node --test tests/release-readiness.test.mjs
  • test:skillsnpm run build && node --test --test-skip-pattern '^compat:' tests/builtin-skills.test.mjs tests/ctx-history.test.mjs tests/ctx-notify.test.mjs tests/memo-flat-structure.test.mjs tests/nightly-topic-knowledge.test.mjs tests/skill-outputs.test.mjs
Dependencies6
  • better-sqlite3^12.10.0
  • nodemailer^8.0.7
  • qrcode^1.5.4
  • typescript^5.9.3
  • ws^8.20.0
  • yaml^2.7.0