Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,189Niche · −30% score
- Versions published
- 153Established · −30% score
- First published
- Jul 2025
- Publisher
- danisan_avila
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 70 · status changed
Evidence
Static findings
19 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/api/claude-code-monitor/check-version.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/api/claude-code-check.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/api/claude-code-monitor/discord-notifier.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/file-operations.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/sdk/global-agent-manager.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/index.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cloudflare-workers/docs-monitor/index.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/api/claude-code-monitor/webhook.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/components/skills/web-development/react-best-practices/references/rules/download_rules.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/components/hooks/monitoring/langsmith-tracing.sh | matched "curl " | 12 |
| medium | Remote Payload | package/cloudflare-workers/docs-monitor/setup.sh | matched "curl " | 12 |
Show all 19 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/api/claude-code-monitor/check-version.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/api/claude-code-check.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/api/claude-code-monitor/discord-notifier.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/file-operations.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/sdk/global-agent-manager.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/src/index.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cloudflare-workers/docs-monitor/index.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/api/claude-code-monitor/webhook.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/components/skills/web-development/react-best-practices/references/rules/download_rules.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/cli-tool/components/hooks/monitoring/langsmith-tracing.sh | matched "curl " | 12 |
| medium | Remote Payload | package/cloudflare-workers/docs-monitor/setup.sh | matched "curl " | 12 |
| low | Messenger Bot Endpoint | package/cloudflare-workers/docs-monitor/index.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Messenger Bot Endpoint | package/.claude/hooks/telegram-pr-webhook.py | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Messenger Bot Endpoint | package/cli-tool/components/hooks/automation/telegram-pr-webhook.py | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Obfuscation Density | package/api/package-lock.json | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/cli-tool/package-lock.json | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/cloudflare-workers/docs-monitor/package-lock.json | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/cloudflare-workers/pulse/package-lock.json | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/docu/package-lock.json | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts6
agent:security-auditorsecurity-auditor 'Security audit covering codebase, dependencies, and deployment configuration'buildecho 'Build complete'devvercel devdiscord:registernode api/discord/register-commands.cjsstartvercel devtestecho 'No tests specified'
Dependencies17
@supabase/supabase-js^2.39.0@vercel/postgres^0.10.0axios^1.6.2boxen^5.1.2chalk^4.1.2chokidar^3.5.3commander^11.1.0discord-interactions^3.4.0dotenv^16.3.1express^4.18.2fs-extra^11.1.1inquirer^8.2.6open^8.4.2ora^5.4.1qrcode^1.5.4uuid^11.1.0ws^8.18.3