Package evidence

[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 2,307Niche · −30% score
Versions published: 33
First published: May 2026
Publisher: ironclawdevs27

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherironclawdevs27

Artifact bytes192,656

Previous version9.7.3

Published2026-06-12T07:02:08.224Z

SHA-256b3365c8d92f8a89c0218510186addb1b0e7794ebf96b092012233fbeba7acfdc

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

5d agoLast checked

reviewRisk

21Score

9.7.4Version

Status history (1 event)

new → available5d ago · risk review · score 21 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/src/utils/github-reporter.js	matched "GITHUB_TOKEN"	30

Manifest

Package metadata

Scripts17

chromenode src/cli/chrome-launcher.js
comparenode src/orchestration/env-comparison.js
crawlnode src/orchestration/crawl-and-report.js
doctornode src/cli/doctor.js
harnessnode test-harness/server.js
harness:stagingnode test-harness/server.js --port=3101 --staging
initnode src/cli/init.js
mcp-servernode src/mcp-server.js
report:htmlnode src/utils/html-reporter.js
report:pdfnode src/utils/pdf-exporter.js
servernode src/server/index.js
setupnode -e "import('fs').then(fs => fs.default.mkdirSync('./reports', { recursive: true }))"
testnpm run test:unit && npm run test:harness
test:harnessnode --env-file=test-harness/.env.harness test-harness/validate.js
test:harness:lognode test-harness/run-with-log.mjs
test:unitvitest run test/unit
watchnode src/orchestration/watch-mode.js

Dependencies12

@modelcontextprotocol/sdk^1.29.0
@opentelemetry/api^1.9.1
@opentelemetry/sdk-node^0.218.0
@slack/web-api^7.16.0
axe-core^4.12.0
dotenv^17.4.2
express^5.2.1
pino^10.3.1
pino-pretty^13.1.3
pixelmatch^7.2.0
pngjs^7.0.0
zod^4.4.3