Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,791Niche · −30% score
Versions published: 18
First published: Jun 2026
Publisher: 24k06

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisher24k06

Artifact bytes10,645,911

Previous version0.2.3

Published2026-06-02T06:39:32.518Z

SHA-256807728363520c4bd1b9584536031ebc8e91a9ea54ac1cecd051221d932fcdb69

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: preinstall added in 0.3.0 vs 0.2.3: "node scripts/preinstall-package-manager-warning.mjs"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

7d agoLast checked

highRisk

145Score

0.3.0Version

Status history (1 event)

new → available15d ago · risk high · score 145 · status changed

Evidence

Static findings

12 static · 2 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	preinstall added in 0.3.0 vs 0.2.3: "node scripts/preinstall-package-manager-warning.mjs"	40
high	New Lifecycle Script Vs Previous	package.json	postinstall added in 0.3.0 vs 0.2.3: "node scripts/postinstall-bundled-plugins.mjs"	40
medium	Credential file access	package/dist/install-package-dir-BaLgZ1Gi.js	matched ".npmrc"	10
medium	Credential file access	package/dist/npm-install-env-BI2gqTE-.js	matched ".npmrc"	10
medium	Credential file access	package/dist/npm-managed-root-Dy2ZayPZ.js	matched ".npmrc"	10

Show all 14 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	preinstall added in 0.3.0 vs 0.2.3: "node scripts/preinstall-package-manager-warning.mjs"	40
high	New Lifecycle Script Vs Previous	package.json	postinstall added in 0.3.0 vs 0.2.3: "node scripts/postinstall-bundled-plugins.mjs"	40
medium	Credential file access	package/dist/install-package-dir-BaLgZ1Gi.js	matched ".npmrc"	10
medium	Credential file access	package/dist/npm-install-env-BI2gqTE-.js	matched ".npmrc"	10
medium	Credential file access	package/dist/npm-managed-root-Dy2ZayPZ.js	matched ".npmrc"	10
low	Credential file access	package/dist/env-api-keys-DrHBA-r2.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/host-env-security-BujxmR07.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/model-auth-BF7w9Fiv.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/model-auth-markers-C_t-XPkx.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/model-auth-runtime-shared-cdTr1v5l.js	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	preinstall="node scripts/preinstall-package-manager-warning.mjs"	5
low	Install-time lifecycle script	package.json	postinstall="node scripts/postinstall-bundled-plugins.mjs"	5
low	Obfuscation Density	package/dist/control-ui/assets/config-runtime-CCw2hptH.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/npm-shrinkwrap.json	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts401

audit:seamsnode scripts/audit-seams.mjs
buildnode scripts/build-all.mjs
build:ci-artifactsnode scripts/build-all.mjs ciArtifacts
build:dockernode scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm plugins:assets:build && pnpm plugins:assets:copy && node --experimental-strip-types scripts/copy-hook-metadata.ts && node --experimental-strip-types scripts/copy-export-html-templates.ts && node --experimental-strip-types scripts/write-build-info.ts && node --experimental-strip-types scripts/write-cli-startup-metadata.ts && node --experimental-strip-types scripts/write-cli-compat.ts
build:plugin-sdk:dtsnode scripts/run-tsgo.mjs -p tsconfig.plugin-sdk.dts.json --declaration true
build:plugin-sdk:strict-smokepnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts
build:strict-smokepnpm plugins:assets:build && node scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts && node scripts/check-plugin-sdk-exports.mjs
canvas:a2ui:bundlenode scripts/bundle-a2ui.mjs
changed:lanesnode scripts/changed-lanes.mjs
checknode scripts/check.mjs
check:architecturepnpm check:import-cycles && pnpm check:madge-import-cycles && pnpm check:deprecated-api-usage && pnpm check:deprecated-jsdoc && pnpm db:kysely:check && pnpm lint:kysely
check:base-config-schemanode --import tsx scripts/generate-base-config-schema.ts --check
check:bundled-channel-config-metadatanode --import tsx scripts/generate-bundled-channel-config-metadata.ts --check
check:changednode scripts/check-changed.mjs
check:changelog-attributionsnode scripts/check-changelog-attributions.mjs
check:deprecated-api-usagenode scripts/check-deprecated-api-usage.mjs
check:deprecated-jsdocnode scripts/check-deprecated-jsdoc.mjs
check:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-mdx && pnpm docs:check-i18n-glossary && pnpm docs:check-links
check:import-cyclesnode --import tsx scripts/check-import-cycles.ts
check:locnode --import tsx scripts/check-ts-max-loc.ts --max 500
check:madge-import-cyclesnode --import tsx scripts/check-madge-import-cycles.ts
check:media-download-helpersnode scripts/check-media-download-helper-roundtrip.mjs
check:no-conflict-markersnode scripts/check-no-conflict-markers.mjs
check:no-runtime-action-load-confignode scripts/check-no-runtime-action-load-config.mjs
check:opengrep-rule-metadatanode security/opengrep/check-rule-metadata.mjs
check:runtime-sidecar-loadersnode --import tsx scripts/check-runtime-sidecar-loaders.mjs
check:static-import-sccspnpm check:madge-import-cycles
check:temp-path-guardrailsnode --import tsx scripts/check-temp-path-guardrails.ts
check:test-typespnpm tsgo:test
check:timednode scripts/check-timed.mjs
…and 371 more.

Dependencies56

@agentclientprotocol/sdk0.22.1
@anthropic-ai/sdk0.98.0
@clack/core1.3.1
@clack/prompts1.4.0
@earendil-works/pi-tui0.76.0
@google/genai2.6.0
@grammyjs/runner2.0.3
@grammyjs/transformer-throttler1.2.1
@homebridge/ciao1.3.9
@lydell/node-pty1.2.0-beta.12
@mistralai/mistralai2.2.5
@modelcontextprotocol/sdk1.29.0
@mozilla/readability0.6.0
@openclaw/fs-safe0.3.0
@openclaw/proxyline0.3.3
@silvia-odwyer/photon-node0.3.4
chalk5.6.2
chokidar5.0.0
clawpdf0.2.0
commander14.0.3
croner10.0.1
cross-spawn7.0.6
diff9.0.0
dotenv17.4.2
express5.2.1
file-type22.0.1
glob13.0.6
grammy1.43.0
highlight.js11.11.1
hosted-git-info9.0.3
…and 26 more.

Optional dependencies2

sharp0.34.5
sqlite-vec0.1.9