Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,959Niche · −30% score
- Versions published
- 148
- First published
- Mar 2026
- Publisher
- arc402
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "api.telegram.org/bot"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 11 · status available -> available, risk high -> review, score 70 -> 11
- new → available · risk high · score 70 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/commands/telegram.js | matched "api.telegram.org/bot" | 12 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/commands/telegram.js | matched "api.telegram.org/bot" | 12 |
| low | Messenger Bot Endpoint | package/dist/commands/telegram.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
Manifest
Package metadata
Scripts5
buildtscpostpacknode -e "const fs=require('fs'),path=require('path'); for(const rel of ['workroom','hermes']){ const dst=path.resolve(__dirname,rel); fs.rmSync(dst,{recursive:true,force:true}); console.log('Removed packaged ' + rel + '/ copy'); }"prepacknpm run build && node -e "const fs=require('fs'),path=require('path'); const copies=[['../../workroom','workroom'],['../../hermes','hermes']]; for(const [srcRel,dstRel] of copies){ const src=path.resolve(__dirname,srcRel); const dst=path.resolve(__dirname,dstRel); if(fs.existsSync(src)){ fs.rmSync(dst,{recursive:true,force:true}); fs.cpSync(src,dst,{recursive:true}); console.log('Copied ' + dstRel + '/ into package'); } else { console.warn('WARNING: ' + srcRel + ' not found - ' + dstRel + '/ files will be missing from package'); } }"prepublishOnlynpm run prepacktestnode --test test/**/*.test.js
Dependencies25
@arc402/daemon^0.9.2@arc402/sdk^0.6.6@coinbase/wallet-sdk^4.3.7@types/better-sqlite3^7.6.13@types/qrcode^1.5.6@types/react^18.3.28@walletconnect/keyvaluestorage^1.1.1@walletconnect/sign-client^2.17.4better-sqlite3^12.8.0chalk^5.3.0cli-table3^0.6.3commander^12.1.0ethers^6.13.4ink3.2.0ink-text-input4.0.3jose^6.2.1ora^8.1.1prompts^2.4.2qrcode^1.5.4qrcode-terminal^0.12.0react^18.3.1react-reconciler^0.26.2smol-toml^1.6.0tweetnacl^1.0.3yaml^2.8.2