Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 53
Versions published: 17
First published: Mar 2026
Publisher: suubro

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishersuubro

Artifact bytes3,726,732

Previous version0.10.0

Published2026-05-27T11:26:51.889Z

SHA-2564f396e3bb821615616610822f0152bcaf2b90ed7537aac2102cc50096bff3ee7

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

21d agoLast checked

reviewRisk

98Score

0.11.0Version

Status history (1 event)

new → available21d ago · risk review · score 98 · status changed

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/server/defaults/roles/team-lead.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/web/web_fetch.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/web/web_search.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/filesystem/write.yaml	matched "curl "	12

Show all 14 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/server/defaults/roles/team-lead.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/web/web_fetch.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/web/web_search.yaml	matched "curl "	12
medium	Remote Payload	package/dist/server/defaults/tools/filesystem/write.yaml	matched "curl "	12
low	Credential file access	package/dist/ui/assets/azure-openai-responses-BfehJkIJ.js	matched ".azure"	5
low	Credential file access	package/dist/ui/assets/edit-CLPUkaSB.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/server/agent/host-tokens.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/server/agent/model-registry.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/server/agent/project-sandbox.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/ui/assets/proposal-panels-rXvxAkEU.js	matched "github_token"	5
low	Credential file access	package/dist/server/agent/sandbox-mounts.js	matched ".ssh"	5
low	Credential file access	package/dist/server/server.js	matched "github_token"	5
low	Credential file access	package/dist/server/agent/session-manager.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/ui/assets/settings-page-ClHvgmN2.js	matched "github_token"	5

Manifest

Package metadata

Scripts26

buildnpm run build:server && npm run build:ui
build:binariesnode scripts/build-binaries.mjs
build:servertsc -p tsconfig.server.json && shx chmod +x dist/server/cli.js && shx rm -rf dist/server/defaults && node scripts/copy-defaults.mjs
build:uivite build
checktsc -p tsconfig.server.json --noEmit && tsc -p tsconfig.web.json --noEmit
cleanshx rm -rf dist
devconcurrently -n gw,ui -c blue,green "node dist/server/cli.js --cwd . --no-ui" "vite"
dev:harnessnpm run build:server && concurrently -n harness,ui -c yellow,green "node dist/server/harness.js -- --cwd . --no-ui" "vite"
dev:nordnpm run build:server && node scripts/dev-nord.mjs
dev:watchdognpm run build:server && concurrently -n watchdog,ui -c red,green "node dist/server/watchdog.js -- --cwd . --no-ui" "vite"
prepublishOnlynpm run build
pretest:unitnode -e "require('fs').existsSync('dist/server')||require('child_process').execSync('npm run build:server',{stdio:'inherit'})"
restart-servernode dist/server/harness-signal.js
startnode dist/server/cli.js --cwd .
testnpm run build && npm run test:unit && npm run test:e2e:run -- && npx playwright test --config playwright-fullstack.config.ts
test:bundlenpm run build:ui && npx tsx --test tests/bundle-size.test.ts
test:coveragenpm run build:server && shx rm -rf coverage && npx playwright test --config playwright-e2e-coverage.config.ts && npx c8 --temp-directory=coverage/tmp --src=src/server npx tsx --test --test-force-exit tests/workflow-manager-logic.test.ts tests/task-state-machine.test.ts tests/name-validation.test.ts tests/gate-store-logic.test.ts tests/system-prompt.test.ts tests/session-store.test.ts tests/cost-tracker.test.ts tests/event-buffer.test.ts tests/staff-trigger-engine.test.ts && npx c8 report --temp-directory=coverage/tmp --reports-dir=coverage --reporter=html --reporter=lcov --reporter=text
test:e2enpm run build --silent && npm run test:e2e:run --
test:e2e:realnpm run build && npx playwright test --config tests/playwright-e2e.config.ts
test:e2e:runnode scripts/run-playwright-e2e.mjs
test:e2e:smokenpm run build --silent 2>/dev/null && npx playwright test --config playwright-e2e-smoke.config.ts
test:e2e:standardnpm run build --silent && npx playwright test --config playwright-e2e-standard.config.ts
test:fullstacknpm run build && npx playwright test --config playwright-fullstack.config.ts
test:manualnpm run build && npx playwright test --config playwright-manual.config.ts
test:unitnpx tsx --import ./tests/helpers/css-stub-loader.mjs --test --test-force-exit tests/*.test.ts && npx playwright test --config tests/playwright.config.ts
test:unit-coveragenpx c8 --reporter=text --temp-directory=coverage/unit-tmp --reports-dir=coverage/unit --src=src/server npx tsx --test --test-force-exit tests/*.test.ts

Dependencies21

@earendil-works/pi-agent-core0.75.5
@earendil-works/pi-ai0.75.5
@earendil-works/pi-coding-agent0.75.5
@lmstudio/sdk^1.5.0
@mariozechner/mini-lit^0.2.0
@recogito/text-annotator^3.4.9
@sinclair/typebox^0.34.41
acme-client^5.4.0
docx-preview^0.3.7
flexsearch0.8.158
jszip^3.10.1
lit^3.3.1
lucide^0.544.0
marked^18.0.4
mkcert^3.2.0
ollama^0.6.0
pdfjs-dist5.4.394
qrcode^1.5.4
sortablejs^1.15.7
ws^8.18.0
yaml^2.8.2

Optional dependencies5

@bobbit/binaries-darwin-arm640.9.0
@bobbit/binaries-darwin-x640.9.0
@bobbit/binaries-linux-arm640.9.0
@bobbit/binaries-linux-x640.9.0
@bobbit/binaries-win32-x640.9.0