PkgRadar

Package evidence

[email protected]

Credential file access: matched "aws_access_key"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
7
Versions published
2
First published
May 2026
Publisher
benjamin.persky

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherbenjamin.persky
Artifact bytes142,281
Previous version0.1.0
Published2026-06-15T10:00:42.482Z
SHA-256e0b1e0115dc7315dcbfa1bcd78c7e1e75cf34897af6455897afe5eb2d446ac99

Why flagged

What the scanner saw

Credential file access: matched "aws_access_key"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
0.2.0Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/avorelo.mjsmatched "aws_access_key"5

Manifest

Package metadata

Scripts89
  • activatenode src/avorelo/surfaces/cli/avorelo.ts activate
  • activation:statusnode src/avorelo/surfaces/cli/avorelo.ts status
  • activation:verifynode src/avorelo/surfaces/cli/avorelo.ts verify
  • adopt:skill-batchnode tools/adopt-skill-batch.ts
  • audit:old-core-paritynode tools/audit-old-core-parity.ts
  • avorelonode src/avorelo/surfaces/cli/avorelo.ts
  • billing:statusnode -e "const{buildBillingState}=require('./src/avorelo/capabilities/billing/index.ts');console.log(JSON.stringify(buildBillingState(),null,2))"
  • buildnpx esbuild src/avorelo/surfaces/cli/avorelo.ts --bundle --platform=node --format=esm --outfile=dist/avorelo.mjs --target=node24 --external:better-auth --external:drizzle-orm --external:postgres --external:hono --external:@hono/node-server
  • build:sitenode src/avorelo/surfaces/cli/avorelo.ts site --target . --out dist/site
  • cli:localnode src/avorelo/surfaces/cli/avorelo.ts
  • cloud:devnode src/avorelo/surfaces/cloud-api/server.ts
  • company-loopnode tools/generate-founder.ts
  • connected-preview:checknode tools/connected-preview-check.ts
  • control:routenode tools/route-primitive.ts
  • db:generatenpx drizzle-kit generate
  • db:migratenpx drizzle-kit migrate
  • db:studionpx drizzle-kit studio
  • dogfoodnode src/avorelo/dogfood/slice1.ts
  • dogfood:activationnode src/avorelo/dogfood/activation.ts
  • dogfood:adapter-secret-boundarynode src/avorelo/dogfood/adapter-secret-boundary.ts
  • dogfood:allnpm run dogfood:phase1 && npm run dogfood:secret-boundary && npm run dogfood:workcontract-routing && npm run dogfood:context-compiler && npm run dogfood:context-check && npm run dogfood:continuity && npm run dogfood:token-cost && npm run dogfood:proof-report && npm run dogfood:value-ledger && npm run dogfood:efficiency-sync && npm run dogfood:runtime-flow && npm run dogfood:control-center && npm run dogfood:activation && npm run dogfood:core-readiness && npm run dogfood:canonical-readiness && npm run dogfood:migration && npm run dogfood:adapter-secret-boundary && npm run dogfood:architecture-invariants && npm run dogfood:package-safety && npm run dogfood:settings && npm run dogfood:update-channel && npm run dogfood:dogfood-learning && npm run dogfood:dogfood-learning-e2e
  • dogfood:architecture-invariantsnode src/avorelo/dogfood/architecture-invariants.ts
  • dogfood:billingnode src/avorelo/dogfood/billing.ts
  • dogfood:canonical-readinessnode src/avorelo/dogfood/canonical-readiness.ts
  • dogfood:cloud-syncnode src/avorelo/dogfood/cloud-sync.ts
  • dogfood:company-loopnode src/avorelo/dogfood/company-loop.ts
  • dogfood:connected-flownode src/avorelo/dogfood/connected-flow.ts
  • dogfood:context-checknode src/avorelo/dogfood/context-check.ts
  • dogfood:context-compilernode src/avorelo/dogfood/context-compiler.ts
  • dogfood:continuitynode src/avorelo/dogfood/continuity.ts
  • …and 59 more.
Dependencies5
  • @hono/node-server^2.0.4
  • better-auth^1.6.15
  • drizzle-orm^0.45.2
  • hono^4.12.25
  • postgres^3.4.9