PkgRadar

Package evidence

[email protected]

Webhook Exfil Endpoint, New Account With Lifecycle Hook, Tls Verification Disabled +3 more

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
4
First published
Jun 2026
Publisher
ajair

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherajair
Artifact bytes18,932,515
Previous version2026.6.12
Published2026-07-01T13:45:15.067Z
SHA-2569976cf5eec8e7b1c6bd2c1eb034c919389744087b307f72992677d91e481e3c6

Why flagged

What the scanner saw

Webhook Exfil Endpoint

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
222Score
2026.7.1Version
Status history (1 event)
  1. newavailable · risk review · score 222 · status changed

Evidence

Static findings

28 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highWebhook Exfil Endpointmanifest40
highWebhook Exfil Endpointmanifest40
highWebhook Exfil Endpointmanifest40
highNew Account With Lifecycle Hookmanifest25
mediumTls Verification Disabledmanifest12
mediumCredential file accessmanifest10
mediumCredential file accessmanifest10
mediumCredential file accessmanifest10
Show all 28 findings (low-signal and informational)
SeverityKindPathDetailPoints
highWebhook Exfil Endpointmanifest40
highWebhook Exfil Endpointmanifest40
highWebhook Exfil Endpointmanifest40
highNew Account With Lifecycle Hookmanifest25
mediumTls Verification Disabledmanifest12
mediumCredential file accessmanifest10
mediumCredential file accessmanifest10
mediumCredential file accessmanifest10
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowInstall-time lifecycle scriptmanifest5
lowInstall-time lifecycle scriptmanifest5
lowCredential file accessmanifest3
lowObfuscation Densitymanifest0
lowObfuscation Densitymanifest0
lowObfuscation Densitymanifest0

Manifest

Package metadata

Dependencies54
  • @agentclientprotocol/sdk0.22.1
  • @aivibeclaw/fs-safenpm:@openclaw/[email protected]
  • @aivibeclaw/proxylinenpm:@openclaw/[email protected]
  • @anthropic-ai/sdk0.100.1
  • @clack/core1.3.1
  • @clack/prompts1.4.0
  • @earendil-works/pi-tui0.78.0
  • @google/genai2.7.0
  • @grammyjs/runner2.0.3
  • @grammyjs/transformer-throttler1.2.1
  • @homebridge/ciao1.3.9
  • @lydell/node-pty1.2.0-beta.12
  • @mistralai/mistralai2.2.5
  • @modelcontextprotocol/sdk1.29.0
  • @mozilla/readability0.6.0
  • chalk5.6.2
  • chokidar5.0.0
  • clawpdf0.3.0
  • commander14.0.3
  • croner10.0.1
  • diff9.0.0
  • dotenv17.4.2
  • express5.2.1
  • file-type22.0.1
  • glob13.0.6
  • grammy1.43.0
  • highlight.js11.11.1
  • hosted-git-info10.1.1
  • ignore7.0.5
  • jiti2.7.0
  • …and 24 more.
Optional dependencies1
  • sqlite-vec0.1.9