Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 356 · status available -> available, risk high -> review, score 1483 -> 356
- new → available · risk high · score 1483 · status changed
Related candidates
Linked campaigns and clusters
gensparx
2 members · evidence strength 64Evidence
Static findings
189 static · 0 from release diff · showing high-signal first.
Showing 30 of 31 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/onboard-skills-CcTjeegG.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-DNC4uuqX.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/pi-embedded-helpers-Bwd1_tI5.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/plugin-sdk/pi-embedded-helpers-CAFZh_OP.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/plugin-sdk/pi-embedded-helpers-CMK_q1Z5.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/pi-embedded-helpers-yOWw1sGr.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-6x8wG9T0.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BCjRryWR.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DX-H4kpF.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-gv66G0EY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/skills/openai-whisper-api/scripts/transcribe.sh | matched "curl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/cli.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/device-pair/index.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/nextcloud-talk/src/monitor.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/diagnostics-otel/src/service.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/webhook/tailscale.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/tunnel.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/providers/twilio.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/webhook-security.test.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/providers/twilio/webhook.ts | matched "cUrl " | 12 |
| medium | Large Javascript Payload | package/dist/compact-D2TPKBPm.js | 3383692 bytes | 10 |
| medium | Credential file access | package/dist/oauth-env-BboBF1zT.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/oauth-env-D1DAFZqN.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BBacl5Ve.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BoHsfj-h.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-D-kQDxKC.js | 3703909 bytes | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-DTCGn_2V.js | 3704217 bytes | 10 |
| medium | Large Javascript Payload | package/dist/plugin-sdk/reply-5tHcV9BW.js | 3703677 bytes | 10 |
| medium | Large Javascript Payload | package/dist/plugin-sdk/reply-BiAoVEey.js | 3716869 bytes | 10 |
| medium | Large Javascript Payload | package/dist/reply-CQV03vP4.js | 3410501 bytes | 10 |
Show all 189 findings (low-signal and informational)
Showing 60 of 189 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/onboard-skills-CcTjeegG.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/onboard-skills-DNC4uuqX.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/pi-embedded-helpers-Bwd1_tI5.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/plugin-sdk/pi-embedded-helpers-CAFZh_OP.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/plugin-sdk/pi-embedded-helpers-CMK_q1Z5.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/pi-embedded-helpers-yOWw1sGr.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-6x8wG9T0.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/qr-cli-BCjRryWR.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-DX-H4kpF.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/sandbox-gv66G0EY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/skills/openai-whisper-api/scripts/transcribe.sh | matched "curl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/cli.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/device-pair/index.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/nextcloud-talk/src/monitor.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/diagnostics-otel/src/service.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/webhook/tailscale.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/tunnel.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/providers/twilio.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/webhook-security.test.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/extensions/voice-call/src/providers/twilio/webhook.ts | matched "cUrl " | 12 |
| medium | Large Javascript Payload | package/dist/compact-D2TPKBPm.js | 3383692 bytes | 10 |
| medium | Credential file access | package/dist/oauth-env-BboBF1zT.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/oauth-env-D1DAFZqN.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BBacl5Ve.js | matched ".SSH" | 10 |
| medium | Credential file access | package/dist/onboard-helpers-BoHsfj-h.js | matched ".SSH" | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-D-kQDxKC.js | 3703909 bytes | 10 |
| medium | Large Javascript Payload | package/dist/pi-embedded-DTCGn_2V.js | 3704217 bytes | 10 |
| medium | Large Javascript Payload | package/dist/plugin-sdk/reply-5tHcV9BW.js | 3703677 bytes | 10 |
| medium | Large Javascript Payload | package/dist/plugin-sdk/reply-BiAoVEey.js | 3716869 bytes | 10 |
| medium | Large Javascript Payload | package/dist/reply-CQV03vP4.js | 3410501 bytes | 10 |
| medium | Large Javascript Payload | package/extensions/diffs/assets/viewer-runtime.js | 9753906 bytes | 10 |
| low | Credential file access | package/dist/auth-profiles-BdePV0-r.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/bonjour-discovery-BGiS59Ip.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/bonjour-discovery-CZJYOmRn.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/plugin-sdk/config-ChZqDS6X.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/plugin-sdk/config-YN-hHN4d.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/gateway-cli-CDG_3RUn.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/gateway-cli-DmWmYY6Z.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/model-selection-C3zcUDCR.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-selection-Cqpzy7LB.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/model-selection-wPq_-8A-.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/onboard-remote-BAY2rGFY.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/onboard-remote-CMf4QV78.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/redact-snapshot-2NqE3VKC.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/redact-snapshot-DhaWATXv.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-C8ly6VMR.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/widearea-dns-DObOrEl_.js | matched ".ssh" | 5 |
| low | Credential file access | package/extensions/msteams/src/attachments.test.ts | matched ".azure" | 5 |
| low | Obfuscation | package/dist/canvas-host/a2ui/a2ui.bundle.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/acp-cli-Btej4Z-k.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/acp-cli-Dge45nML.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/audit-B-YcWl_a.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/audit-BsRvzHBF.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/auth-profiles-BdePV0-r.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/plugin-sdk/bluebubbles.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/plugin-sdk/chrome-BB7CQiQT.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-Bz2gUvgd.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-Dfjg_rJX.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/plugin-sdk/chrome-DMMos29X.js | matched "Buffer.from(base64, \"base64" | 3 |
| low | Obfuscation | package/dist/chrome-DyWhDIHf.js | matched "Buffer.from(base64, \"base64" | 3 |
Manifest
Package metadata
Scripts94
android:assemblecd apps/android && ./gradlew :app:assembleDebugandroid:installcd apps/android && ./gradlew :app:installDebugandroid:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.gensparx.android/.MainActivityandroid:testcd apps/android && ./gradlew :app:testDebugUnitTestbuildpnpm canvas:a2ui:bundle && tsdown && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/write-build-info.ts && node --import tsx scripts/write-cli-compat.tscanvas:a2ui:bundlenode scripts/bundle-a2ui.mjscheckpnpm tsgo && pnpm lint && pnpm formatcheck:locnode --import tsx scripts/check-ts-max-loc.ts --max 500deadcode:cipnpm deadcode:report:ci:knip && pnpm deadcode:report:ci:ts-prune && pnpm deadcode:report:ci:ts-unuseddeadcode:knippnpm dlx knip --no-progressdeadcode:reportpnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unuseddeadcode:report:ci:knipmkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || truedeadcode:report:ci:ts-prunemkdir -p .artifacts/deadcode && pnpm deadcode:ts-prune > .artifacts/deadcode/ts-prune.txt 2>&1 || truedeadcode:report:ci:ts-unusedmkdir -p .artifacts/deadcode && pnpm deadcode:ts-unused > .artifacts/deadcode/ts-unused-exports.txt 2>&1 || truedeadcode:ts-prunepnpm dlx ts-prune src extensions scriptsdeadcode:ts-unusedpnpm dlx ts-unused-exports tsconfig.json --ignoreTestFiles --exitWithCountdevnode scripts/dev.mjsdocs:binnode scripts/build-docs-list.mjsdocs:check-linksnode scripts/docs-link-audit.mjsdocs:devcd docs && mint devdocs:listnode scripts/docs-list.jsdocs:spellcheckbash scripts/docs-spellcheck.shdocs:spellcheck:fixbash scripts/docs-spellcheck.sh --writeformatoxfmt --writeformat:allpnpm format && pnpm format:swiftformat:checkoxfmt --checkformat:diffoxfmt --write && git --no-pager diffformat:docsgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --writeformat:docs:checkgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --checkformat:fixoxfmt --write- …and 64 more.
Dependencies57
@agentclientprotocol/sdk0.14.1@aws-sdk/client-bedrock^3.998.0@buape/carbon0.0.0-beta-20260216184201@clack/prompts^1.0.1@discordjs/voice^0.19.0@grammyjs/runner^2.0.3@grammyjs/transformer-throttler^1.2.1@homebridge/ciao^1.3.5@larksuiteoapi/node-sdk^1.59.0@line/bot-sdk^10.6.0@lydell/node-pty1.2.0-beta.3@mariozechner/pi-agent-core0.55.3@mariozechner/pi-ai0.55.3@mariozechner/pi-coding-agent0.55.3@mariozechner/pi-tui0.55.3@mozilla/readability^0.6.0@sinclair/typebox0.34.48@slack/bolt^4.6.0@slack/web-api^7.14.1@snazzah/davey^0.1.9@whiskeysockets/baileys7.0.0-rc.9ajv^8.18.0chalk^5.6.2chokidar^5.0.0cli-highlight^2.1.11commander^14.0.3croner^10.0.1discord-api-types^0.38.40dotenv^17.3.1express^5.2.1- …and 27 more.
Optional dependencies1
@discordjs/opus^0.10.0