Package evidence

[email protected]

Install Lifecycle Remote Or Exec: preinstall="node -e \"var ua=process.env.npm_config_user_agent||'';if(process.versions.bun||ua.startsWith('bun/')||process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install | bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh | bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 956
Versions published: 48
First published: Mar 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes968,882

Previous version0.8.0-rc2

Published2026-06-04T00:44:46.574Z

SHA-256733535654bc0f92875614debb50aa19d8c4d620a7dc91e7e80825fc466406c67

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: preinstall added in 0.8.0 vs 0.8.0-rc2: "node -e \"var ua=process.env.npm_config_user_agent||'';if(process.versions.bun||ua.startsWith('bun/')||process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install | bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh | bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

4h agoLast checked

highRisk

75Score

0.8.0Version

Status history (1 event)

new → available4h ago · risk high · score 75 · status changed

Evidence

Static findings

2 static · 1 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	preinstall added in 0.8.0 vs 0.8.0-rc2: "node -e \"var ua=process.env.npm_config_user_agent\|\|'';if(process.versions.bun\|\|ua.startsWith('bun/')\|\|process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install \| bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh \| bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""	40
high	Install Lifecycle Remote Or Exec	package.json	preinstall="node -e \"var ua=process.env.npm_config_user_agent\|\|'';if(process.versions.bun\|\|ua.startsWith('bun/')\|\|process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install \| bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh \| bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""	30

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	preinstall added in 0.8.0 vs 0.8.0-rc2: "node -e \"var ua=process.env.npm_config_user_agent\|\|'';if(process.versions.bun\|\|ua.startsWith('bun/')\|\|process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install \| bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh \| bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""	40
high	Install Lifecycle Remote Or Exec	package.json	preinstall="node -e \"var ua=process.env.npm_config_user_agent\|\|'';if(process.versions.bun\|\|ua.startsWith('bun/')\|\|process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install \| bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh \| bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""	30
low	Install-time lifecycle script	package.json	preinstall="node -e \"var ua=process.env.npm_config_user_agent\|\|'';if(process.versions.bun\|\|ua.startsWith('bun/')\|\|process.env.BUN_INSTALL){process.exit(0)}console.error('\\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\\n Running under Node.js is not supported in this release.\\n Install options:\\n 1. Bun: curl -fsSL https://bun.sh/install \| bash && bun install -g akm-cli\\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh \| bash\\n Cross-runtime support is planned for 0.9.0.\\n');process.exit(1)\""	5

Manifest

Package metadata

Scripts20

buildrm -rf dist && bun run tsc --project ./tsconfig.build.json && bun scripts/copy-assets.ts
checkbun run lint && bunx tsc --noEmit && bun run test:unit && bun run test:integration
check:changedbun test tests/output-baseline.test.ts tests/integration/e2e.test.ts tests/stash-search.test.ts && bun run lint && bunx tsc --noEmit
formatbunx biome format --write src/ tests/
lintbunx biome check src/ tests/ && bun scripts/lint-tests-isolation.ts && bun scripts/lint-license-headers.ts
lint:devto-postsbun scripts/lint-devto-posts.ts
lint:devto-posts:fixbun scripts/lint-devto-posts.ts --fix
lint:fixbunx biome check --write src/ tests/
lint:isolationbun scripts/lint-tests-isolation.ts
lint:tests-isolationbun scripts/lint-tests-isolation.ts
postpublishgit checkout -- README.md
preinstallnode -e "var ua=process.env.npm_config_user_agent||'';if(process.versions.bun||ua.startsWith('bun/')||process.env.BUN_INSTALL){process.exit(0)}console.error('\n ERROR: akm-cli 0.8 requires the Bun runtime (https://bun.sh) or the prebuilt binary.\n Running under Node.js is not supported in this release.\n Install options:\n 1. Bun: curl -fsSL https://bun.sh/install | bash && bun install -g akm-cli\n 2. Binary: curl -fsSL https://github.com/itlackey/akm/releases/latest/download/install.sh | bash\n Cross-runtime support is planned for 0.9.0.\n');process.exit(1)"
prepublishOnlycp .github/README.npm.md README.md && bun run build
publish:devtonpx -y @sinedied/devto-cli push "docs/posts/**/*.md" --token "$DEVTO_TOKEN" --repo "$GITHUB_REPOSITORY" --branch "${GITHUB_REF_NAME:-main}" --reconcile
release:check./tests/release-check.sh
testbun test --parallel=12 --timeout=30000 ./tests --path-ignore-patterns=tests/integration
test:integrationbun test --parallel=12 --timeout=30000 ./tests/integration ./tests/commands ./tests/workflows
test:shardedbun test ./tests --shard=1/4 & bun test ./tests --shard=2/4 & bun test ./tests --shard=3/4 & bun test ./tests --shard=4/4 & wait
test:timebun scripts/test-timing-report.ts
test:unitbun test --parallel=12 --timeout=30000 ./tests --path-ignore-patterns=tests/integration

Dependencies7

@clack/prompts^1.3.0
@opencode-ai/sdk1.2.20
citty^0.2.2
dotenv^17.4.2
yaml^2.8.4
zod^3.23.0
zod-to-json-schema^3.23.0

Optional dependencies2

@huggingface/transformers^4.2.0
sqlite-vec^0.1.9