Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 540
- Versions published
- 13
- First published
- May 2026
- Publisher
- bokly
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 12 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/chain-jw7xjxy4.js | matched "raw.githubusercontent.com" | 12 |
Manifest
Package metadata
Scripts26
buildbun run --cwd ../apps/hub build && node ./scripts/clean-dist-bundles.mjs && bun build --target=node --splitting --outdir dist chain.ts && cp run.mjs dist/run.mjs && cp registry/bundled-index.yaml dist/registry-index.yaml && rm -rf dist/hub && cp -R ../apps/hub/dist dist/hubchangeloggit-cliff -r .. -c ../cliff.toml -o CHANGELOG.mdchangelog:previewgit-cliff -r .. -c ../cliff.toml --unreleasedcheck:bundled-skill-versionsbun run scripts/check-bundled-skill-versions.tscheck:components-jsonnode ./scripts/check-components-json.mjscheck:node-bundlenode ./scripts/check-node-bundle.mjscheck:roadmap-catalogbun run scripts/check-roadmap-catalog.tsdevbun run chain.tsgenerate:manifestbun run scripts/generate-manifest.tsgenerate:registry-indexbun run scripts/generate-registry-index.tsgenerate:roadmapbun run scripts/generate-roadmap.tsinstall:git-hooksbun run scripts/run-install-dev-git-hooks.tspack:checkbun run generate:registry-index -- --check && bun run check:roadmap-catalog && node ./scripts/sync-package-assets.mjs && bun run build && node ./scripts/check-node-bundle.mjs && node ./scripts/check-package-files.mjsprepackbun run generate:registry-index && node ./scripts/sync-package-assets.mjs && bun run build && node ./scripts/check-package-files.mjsprepublishOnlybun run build && node ./scripts/check-package-files.mjspretestbun run generate:registry-index -- --check && bun run generate:manifest -- --check && bun run check:roadmap-catalog && bun run check:bundled-skill-versions && node ./scripts/sync-package-assets.mjsrelease:preparebun run scripts/release-prepare.tsrelease:publishbun run pack:check && bun run smoke:package && npm publishsmoke:hubnode ./scripts/hub-smoke.mjssmoke:hub:browsernode ./scripts/hub-browser-smoke.mjssmoke:packagenode ./scripts/package-smoke.mjssync:bundled-inbun run scripts/bundled-in-from-git.ts -- --apply --since-last-tagsync:bundled-in:allbun run scripts/bundled-in-from-git.ts -- --applysync:roadmap-changelogbun run chain.ts roadmap synctestbun testversionbun run changelog && bun run sync:roadmap-changelog && bun run sync:bundled-in && bun run generate:registry-index && git add CHANGELOG.md ../roadmap.yaml ../roadmap.md ../apps/hub/public/roadmap.json ../apps/web/src/content/roadmap.json ../registry/index.yaml core/registry.yaml
Dependencies4
@clack/prompts^1.5.1commander^14.0.3kleur^4.1.5yaml^2.9.0