Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Install Lifecycle Suppresses Failure: prepare="husky || exit 0"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 30 · status changed
Related candidates
Linked campaigns and clusters
Install Lifecycle Suppresses Failure — prepare="husky || exit 0"
2 members · evidence strength 56Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | prepare="husky || exit 0" | 20 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | prepare="husky || exit 0" | 20 |
| low | Install-time lifecycle script | package.json | prepare="husky || exit 0" | 4 |
| low | Obfuscation | package/tools/cli/lib/ui.js | matched "\\u001B" | 3 |
| low | Obfuscation | package/src/shared/scripts/skf-scan-skill-md-structure.py | matched "\\x00" | 3 |
Manifest
Package metadata
Scripts27
docs:buildnode tools/build-docs.jsdocs:devnpm run --prefix website docs:devdocs:fix-linksnode tools/fix-doc-links.js --writedocs:previewnpm run --prefix website previewdocs:validate-driftnode tools/validate-docs-drift.jsdocs:validate-linksnode tools/validate-doc-links.jsformat:checkprettier --check "**/*.{js,cjs,mjs,json,yaml}"format:fixprettier --write "**/*.{js,cjs,mjs,json,yaml}"linteslint . --ext .js,.cjs,.mjs,.yaml --max-warnings=0lint:fixeslint . --ext .js,.cjs,.mjs,.yaml --fixlint:mdmarkdownlint-cli2 "**/*.md"preparehusky || exit 0qualitynpm run format:check && npm run lint && npm run lint:md && npm run test:schemas && npm run test:install && npm run test:cli && npm run test:workflow && npm run test:python && npm run test:knowledge && npm run validate:schemas && npm run validate:skills && npm run validate:refs && npm run docs:validate-driftskf:installnode tools/cli/skf-cli.js installskf:statusnode tools/cli/skf-cli.js statusskf:uninstallnode tools/cli/skf-cli.js uninstallskf:updatenode tools/cli/skf-cli.js updatetestnpm run test:schemas && npm run test:install && npm run test:cli && npm run test:workflow && npm run test:python && npm run test:knowledge && npm run validate:schemas && npm run validate:skills && npm run validate:refs && npm run lint && npm run lint:md && npm run format:checktest:clinode test/test-cli-integration.jstest:installnode test/test-installation-components.jstest:knowledgenode test/test-knowledge-base.jstest:pythonuv run --with pytest --with pyyaml --with jsonschema pytest test/test-compute-score-contract.py test/test-skf-preflight.py test/test-skf-skill-inventory.py test/test-skf-validate-output.py test/test-skf-validate-frontmatter.py test/test-skf-manifest-ops.py test/test-skf-rebuild-managed-sections.py test/test-skf-severity-classify.py test/test-skf-structural-diff.py test/test-skf-detect-tools.py test/test-skf-forge-tier-rw.py test/test-skf-emit-result-envelope.py test/test-skf-qmd-classify-collections.py test/test-skf-merge-ccc-exclusions.py test/test-skf-resolve-package.py test/test-skf-extract-public-api.py test/test-skf-render-quick-metadata.py test/test-skf-validate-brief-inputs.py test/test-skf-emit-brief-result-envelope.py test/test-skf-write-skill-brief.py test/test-skf-detect-workspaces.py test/test-skf-recommend-scope-type.py test/test-skf-detect-language.py test/test-skf-description-guard.py test/test-skf-detect-scripts-assets.py test/test-skf-hash-content.py test/test-skf-validate-brief-schema.py test/test-skf-check-workspace-drift.py test/test-skf-update-active-symlink.py test/test-skf-build-change-manifest.py test/test-skf-provenance-gap-dispatch.py test/test-skf-resolve-authoritative-files.py test/test-skf-scan-manifests.py test/test-skf-pair-intersect.py test/test-skf-enumerate-stack-skills.py test/test-skf-compare-file-hashes.py test/test-skf-load-provenance.py test/test-skf-scan-skill-md-structure.py test/test-skf-disqualify-candidates.py test/test-skf-chain-reachability.py -vtest:schemasnode test/test-agent-schema.jstest:workflownode test/test-workflow-state.jsvalidate:refsnode tools/validate-file-refs.js --strictvalidate:schemasnode test/validate-agent-schema.jsvalidate:skillsnode tools/validate-skills.js --strict
Dependencies6
@clack/prompts^1.1.0chalk^4.1.2commander^14.0.0figlet^1.8.0fs-extra^11.3.0js-yaml^4.1.0