PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
24
First published
Apr 2026
Publisher
fabrijk96

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherfabrijk96
Artifact bytes1,032,712
Previous version0.17.3
Published2026-06-17T12:31:32.139Z
SHA-25679e4cd147bfea12698a92eccde9acd3485d69902dce92aef68cb731469828c63

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
20Score
0.17.4Version
Status history (1 event)
  1. newavailable · risk review · score 20 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/create-quiver/lib/ai/github.jsmatched ".ssh/"5
lowCredential file accesspackage/src/create-quiver/index.jsmatched ".ssh/"5
lowCredential file accesspackage/src/create-quiver/lib/init-docs.jsmatched ".ssh/"5
lowCredential file accesspackage/src/create-quiver/lib/ai/safety.jsmatched ".npmrc"5

Manifest

Package metadata

Scripts60
  • changelog:checknode scripts/ci/check-changelog.js
  • check:prbash tools/scripts/check-pr-readiness.sh
  • check:slicebash tools/scripts/check-slice-readiness.sh
  • cleanup:slicebash tools/scripts/cleanup-slice.sh
  • docs:checknpm run docs:lint && npm run docs:links && npm run docs:commands:check
  • docs:commands:checknode scripts/ci/check-command-reference.js --check
  • docs:commands:writenode scripts/ci/check-command-reference.js --write
  • docs:linksnode scripts/ci/check-doc-links.js
  • docs:lintnode scripts/ci/check-docs-markdown.js
  • migratebash tools/scripts/migrate-project.sh
  • package:quiverbash scripts/package-quiver.sh
  • quiver:ai:agentnpx create-quiver ai agent
  • quiver:ai:approvenpx create-quiver ai approve
  • quiver:ai:doctornpx create-quiver ai doctor
  • quiver:ai:execute-plannpx create-quiver ai execute-plan
  • quiver:ai:execute-slicenpx create-quiver ai execute-slice
  • quiver:ai:exportnpx create-quiver ai export
  • quiver:ai:inspectnpx create-quiver ai inspect
  • quiver:ai:onboardnpx create-quiver ai onboard
  • quiver:ai:plannpx create-quiver ai plan
  • quiver:ai:prnpx create-quiver ai pr
  • quiver:ai:prepare-contextnpx create-quiver ai prepare-context
  • quiver:ai:prompt-slicenpx create-quiver ai prompt-slice
  • quiver:ai:review-plannpx create-quiver ai review-plan
  • quiver:ai:slicesnpx create-quiver ai slices list
  • quiver:ai:specsnpx create-quiver ai specs list
  • quiver:ai:tracenpx create-quiver ai trace report
  • quiver:analyzenpx create-quiver analyze
  • quiver:check-handoffnode bin/create-quiver.js handoff check
  • quiver:check-prnode bin/create-quiver.js slice pr
  • …and 30 more.
Dependencies2
  • @clack/prompts^1.4.0
  • zod^4.4.3