PkgRadar

Package evidence

[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
165
Versions published
18
First published
Mar 2026
Publisher
suubro

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishersuubro
Artifact bytes4,007,931
Previous version0.11.0
Published2026-06-03T07:49:07.216Z
SHA-25621851dfdaf4d046ca3836c11a49f52b2aa13c17733fc80c4a41635b130afafda

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
0.12.0Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/ui/assets/edit-B9XsMHfU.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/server/agent/model-registry.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/server/agent/sandbox-mounts.jsmatched ".npmrc"5

Manifest

Package metadata

Scripts26
  • buildnpm run build:server && npm run build:ui
  • build:binariesnode scripts/build-binaries.mjs
  • build:servertsc -p tsconfig.server.json && shx chmod +x dist/server/cli.js && shx rm -rf dist/server/defaults && node scripts/copy-defaults.mjs
  • build:uivite build
  • checktsc -p tsconfig.server.json --noEmit && tsc -p tsconfig.web.json --noEmit
  • cleanshx rm -rf dist
  • devconcurrently -n gw,ui -c blue,green "node dist/server/cli.js --cwd . --no-ui" "vite"
  • dev:harnessnpm run build:server && concurrently -n harness,ui -c yellow,green "node dist/server/harness.js -- --cwd . --no-ui" "vite"
  • dev:nordnpm run build:server && node scripts/dev-nord.mjs
  • dev:watchdognpm run build:server && concurrently -n watchdog,ui -c red,green "node dist/server/watchdog.js -- --cwd . --no-ui" "vite"
  • prepublishOnlynpm run build
  • pretest:unitnode -e "require('fs').existsSync('dist/server')||require('child_process').execSync('npm run build:server',{stdio:'inherit'})"
  • restart-servernode dist/server/harness-signal.js
  • startnode dist/server/cli.js --cwd .
  • testnpm run build && npm run test:unit && npm run test:e2e:run -- && npx playwright test --config playwright-fullstack.config.ts
  • test:bundlenpm run build:ui && npx tsx --test tests/bundle-size.test.ts
  • test:coveragenpm run build:server && shx rm -rf coverage && npx playwright test --config playwright-e2e-coverage.config.ts && npx c8 --temp-directory=coverage/tmp --src=src/server npx tsx --test --test-force-exit tests/workflow-manager-logic.test.ts tests/task-state-machine.test.ts tests/name-validation.test.ts tests/gate-store-logic.test.ts tests/system-prompt.test.ts tests/session-store.test.ts tests/cost-tracker.test.ts tests/event-buffer.test.ts tests/staff-trigger-engine.test.ts && npx c8 report --temp-directory=coverage/tmp --reports-dir=coverage --reporter=html --reporter=lcov --reporter=text
  • test:e2enpm run build --silent && npm run test:e2e:run --
  • test:e2e:realnpm run build && npx playwright test --config tests/playwright-e2e.config.ts
  • test:e2e:runnode scripts/run-playwright-e2e.mjs
  • test:e2e:smokenpm run build --silent 2>/dev/null && npx playwright test --config playwright-e2e-smoke.config.ts
  • test:e2e:standardnpm run build --silent && npx playwright test --config playwright-e2e-standard.config.ts
  • test:fullstacknpm run build && npx playwright test --config playwright-fullstack.config.ts
  • test:manualnpm run build && npx playwright test --config playwright-manual.config.ts
  • test:unitnpx tsx --import ./tests/helpers/css-stub-loader.mjs --test --test-force-exit tests/*.test.ts && npx playwright test --config tests/playwright.config.ts
  • test:unit-coveragenpx c8 --reporter=text --temp-directory=coverage/unit-tmp --reports-dir=coverage/unit --src=src/server npx tsx --test --test-force-exit tests/*.test.ts
Dependencies21
  • @earendil-works/pi-agent-core0.77.0
  • @earendil-works/pi-ai0.77.0
  • @earendil-works/pi-coding-agent0.77.0
  • @lmstudio/sdk^1.5.0
  • @mariozechner/mini-lit^0.2.0
  • @recogito/text-annotator^3.4.9
  • @sinclair/typebox^0.34.41
  • acme-client^5.4.0
  • docx-preview^0.3.7
  • flexsearch0.8.158
  • jszip^3.10.1
  • lit^3.3.1
  • lucide^0.544.0
  • marked^18.0.4
  • mkcert^3.2.0
  • ollama^0.6.0
  • pdfjs-dist5.4.394
  • qrcode^1.5.4
  • sortablejs^1.15.7
  • ws^8.18.0
  • yaml^2.8.2
Optional dependencies5
  • @bobbit/binaries-darwin-arm640.9.0
  • @bobbit/binaries-darwin-x640.9.0
  • @bobbit/binaries-linux-arm640.9.0
  • @bobbit/binaries-linux-x640.9.0
  • @bobbit/binaries-win32-x640.9.0