Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1,030Established · −30% score
- First published
- Aug 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh/"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/server/node_modules/@anthropic-ai/claude-agent-sdk/sdk.mjs | matched ".ssh/" | 5 |
| low | Large Javascript Payload | package/dist/server/cli.js | 9226379 bytes | 0 |
| low | Obfuscation Density | package/dist/client/assets/estree-CRgMSIiv.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/server/server.js | 4832138 bytes | 0 |
| low | Obfuscation Density | package/dist/client/assets/standalone-BioU5qLH.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts18
better-auth:migratebunx --bun @better-auth/cli migrate -y --config src/auth/index.tsbuild:clientbun --bun vite buildbuild:serverbun run scripts/bundle-server-script.ts --dist ./dist/serverchecktsc --noEmitdb:migratebun run ./dist/server/migrate.jsdevbun run migrate && concurrently "bun run dev:client" "bun run dev:server"dev:clientvite devdev:serverbun run --cwd=../../packages/sandbox build && NODE_ENV=development bun --env-file=.env --hot run src/index.tsdev:serversconcurrently "bun run dev:client" "bun run dev:server"migratebun run src/database/migrate.tsprepublishOnlybun run build:client && bun run build:serversmoke:linkbun run scripts/smoke-link.tsstartbun run ./dist/server/server.jstestbun testtest:ctplaywright test -c playwright-ct.config.tstest:ct:uiplaywright test -c playwright-ct.config.ts --uitest:e2eplaywright testtest:e2e:uiplaywright test --ui
Dependencies28
@ai-sdk/anthropic^3.0.80@ai-sdk/google^3.0.80@ai-sdk/openai^3.0.65@anthropic-ai/sdk^0.96.0@aws-sdk/client-s3^3.1013.0@aws-sdk/lib-storage^3.1013.0@aws-sdk/s3-request-presigner^3.1013.0@clickhouse/client^1.8.1@dbos-inc/dbos-sdk^4.17.6@dnd-kit/core^6.3.1@dnd-kit/sortable^10.0.0@dnd-kit/utilities^3.2.2@inkjs/ui^2.0.0@modelcontextprotocol/ext-apps^1.7.1@openrouter/ai-sdk-provider^2.9.0@opentelemetry/core^2.6.0@tanstack/react-virtual3.13.24@xterm/addon-fit^0.11.0@xterm/xterm^6.0.0embedded-postgres^18.3.0-beta.16ink^6.8.0kysely^0.28.12nats^2.29.3node-pty^1.0.0posthog-js^1.371.1posthog-node^5.0.0react^19.2.6react-dom^19.2.6
Optional dependencies2
@anthropic-ai/claude-agent-sdk^0.2.141@duckdb/node-api^1.5.0-r.1