Package evidence
[email protected]
Install Lifecycle Suppresses Failure: postinstall="(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,364Niche · −30% score
- Versions published
- 190
- First published
- Feb 2026
- Publisher
- yellowsunhy
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Install Lifecycle Suppresses Failure: postinstall="(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 63 · status changed
Evidence
Static findings
23 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)" | 20 |
| medium | Remote Payload | package/dist/backend/backend/src/services/browser/chrome-discovery.service.js | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/_common/complete-body-shape.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/create-intent-tasks/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/decompose-intent/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/update-intent-task/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/marketing/submit-for-approval/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/screenshot-compare/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/xiaoyuzhoufm-transcript/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/decompose-mission/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/decompose-okr/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/design-team/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/measure-kr/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/review-mission/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/team-leader/design-checklist/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/create-request/execute.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/reply-channel/execute.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/browse-stealth/launch-chrome-cdp.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/_common/lib.sh | matched "curl " | 12 |
Show all 23 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | postinstall="(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)" | 20 |
| medium | Remote Payload | package/dist/backend/backend/src/services/browser/chrome-discovery.service.js | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/_common/complete-body-shape.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/create-intent-tasks/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/decompose-intent/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/update-intent-task/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/marketing/submit-for-approval/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/screenshot-compare/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/xiaoyuzhoufm-transcript/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/decompose-mission/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/decompose-okr/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/design-team/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/measure-kr/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/orchestrator/review-mission/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/team-leader/design-checklist/execute.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/create-request/execute.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/core/reply-channel/execute.test.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/agent/browse-stealth/launch-chrome-cdp.sh | matched "curl " | 12 |
| medium | Remote Payload | package/config/skills/_common/lib.sh | matched "curl " | 12 |
| low | Messenger Bot Endpoint | package/dist/backend/backend/src/constants.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Messenger Bot Endpoint | package/dist/cli/backend/src/constants.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Credential file access | package/dist/backend/backend/src/services/messaging/adapters/google-chat-messenger.adapter.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)" | 5 |
Manifest
Package metadata
Scripts37
buildnpm run build:backend && npm run build:frontend && npm run build:clibuild:backendtsc -p backend/tsconfig.jsonbuild:clitsc -p cli/tsconfig.jsonbuild:frontendcd frontend && npm run buildbuild:servernpm run build:backend && npm run build:clidevconcurrently "npm run dev:backend" "npm run dev:frontend"dev:backendnpx tsx backend/src/index.tsdev:backend:debugnode --inspect --import tsx backend/src/index.tsdev:backend:watchnpx tsx watch backend/src/index.tsdev:frontendcd frontend && npm run devdocker:builddocker build -t crewly .docker:compose:downdocker-compose downdocker:compose:logsdocker-compose logs -fdocker:compose:updocker-compose up -ddocker:rundocker run -p 8788:8788 crewlyeval:l4npx tsx backend/src/services/agent/crewly-agent/eval/run-eval-l4.tslinteslint . --ext .ts,.tsxlogs:pm2pm2 logsmonit:pm2pm2 monitpostinstall(npm rebuild node-pty --build-from-source 2>/dev/null || npm rebuild node-pty 2>/dev/null || true) && (npm rebuild better-sqlite3 2>/dev/null || true)prepublishOnlynpm run buildreload:pm2pm2 reload ecosystem.config.jsrestart:pm2pm2 restart ecosystem.config.jsstartnode dist/cli/cli/src/index.js startstart:pm2pm2 start ecosystem.config.jsstop:pm2pm2 stop ecosystem.config.jstestjesttest:backendjest tests/unit tests/integrationtest:e2eplaywright testtest:e2e:headedplaywright test --headed- …and 7 more.
Dependencies42
@ai-sdk/anthropic^3.0.58@ai-sdk/google^3.0.43@ai-sdk/openai^3.0.41@opentelemetry/api^1.9.0@opentelemetry/exporter-trace-otlp-http^0.213.0@opentelemetry/instrumentation-express^0.61.0@opentelemetry/instrumentation-http^0.213.0@opentelemetry/resources^2.6.0@opentelemetry/sdk-node^0.213.0@opentelemetry/sdk-trace-node^2.6.0@opentelemetry/semantic-conventions^1.40.0@supabase/supabase-js^2.99.0@types/better-sqlite3^7.6.13@xterm/headless^6.0.0ai^6.0.116ajv^8.18.0axios^1.11.0better-sqlite3^12.8.0chalk^5.3.0chokidar^3.5.3commander^11.0.0cors^2.8.5cron-parser^5.5.0dotenv^17.2.3express^4.18.2helmet^8.1.0ioredis^5.10.1jsonwebtoken^9.0.3mongodb^7.1.0morgan^1.10.1- …and 12 more.
Optional dependencies3
@modelcontextprotocol/sdk^0.5.0@slack/bolt^3.22.0@whiskeysockets/baileys^7.0.0-rc.9