Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 478
- Versions published
- 42Established · −30% score
- First published
- Aug 2025
- Publisher
- slacey75
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Known Indicator Filename: package/src/cli/commands/stealth.js
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 35 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/src/cli/commands/stealth.js | package/src/cli/commands/stealth.js | 45 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/src/cli/commands/stealth.js | package/src/cli/commands/stealth.js | 45 |
| low | Install-time lifecycle script | package.json | postinstall="echo '\nCrawlForge MCP Server installed!\n\nQuick start: run \"npx crawlforge init\" to configure your API key, install skills, and register the MCP server with your AI clients.\nOr run \"npx crawlforge-setup\" to configure your API key only.\n'" | 5 |
Manifest
Package metadata
Scripts15
devcross-env NODE_ENV=development node server.jsdocker:builddocker build -t crawlforge .docker:devdocker-compose up crawlforge-devdocker:proddocker-compose up crawlforge-prodpostinstallecho ' CrawlForge MCP Server installed! Quick start: run "npx crawlforge init" to configure your API key, install skills, and register the MCP server with your AI clients. Or run "npx crawlforge-setup" to configure your API key only. 'setupnode setup.jsstartnode server.jsstart:httpnode server.js --httptestnode tests/integration/mcp-protocol-compliance.test.jstest:allbash run-all-tests.shtest:coverageCRAWLFORGE_CREATOR_SECRET= c8 --reporter=text --reporter=lcov --include='src/**/*.js' --exclude='src/**/_*.js' --lines=60 --statements=60 --functions=55 --branches=45 node --test --test-force-exit 'tests/unit/*.test.js' 'tests/integration/tools/*.test.js'test:integrationCRAWLFORGE_CREATOR_SECRET= node --test 'tests/integration/tools/*.test.js'test:real-worldnode test-real-world.jstest:toolsnode test-tools.jstest:unitCRAWLFORGE_CREATOR_SECRET= node --test 'tests/unit/*.test.js'
Dependencies23
@googleapis/customsearch^5.0.1@modelcontextprotocol/sdk^1.29.0@mozilla/readability^0.6.0cheerio^1.1.2commander^12.1.0compromise^14.14.4diff^8.0.2dotenv^17.2.1franc^6.2.0isomorphic-dompurify^3.9.0jsdom^29.0.2lru-cache^11.1.0node-cron^3.0.3node-summarizer^1.0.7p-queue^8.1.0pdf-parse^1.1.1playwright^1.54.2robots-parser^3.0.1turndown^7.2.4turndown-plugin-gfm^1.0.2undici^7.24.0winston^3.11.0zod^3.23.8
Optional dependencies1
camoufox^0.1.19