Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 25
- Versions published
- 10
- First published
- Apr 2026
- Publisher
- matthew-dean
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh/"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/chunks/chunk-OACCWW4R.js | matched ".ssh/" | 5 |
Manifest
Package metadata
Scripts43
benchmarks:compare:hermespnpm build && node dist/cli.js benchmarks compare hermes --hermes-root .guildhall/dev-tools/hermes-agentbenchmarks:compare:hermes-app-explicitpnpm build && node scripts/compare-hermes-quality.mjs --mode app-explicitbenchmarks:compare:hermes-app-inferpnpm build && node scripts/compare-hermes-quality.mjs --mode app-inferbenchmarks:compare:hermes-qualitypnpm build && node scripts/compare-hermes-quality.mjsbenchmarks:smokepnpm build && node dist/cli.js benchmarks run lifecycle --fixture-set smoke --automation fully-automated && node dist/cli.js benchmarks run tblite --subset smoke --automation fully-automated && node dist/cli.js benchmarks run swe-local --subset smoke --automation fully-automatedbuildpnpm build:ui && node ./build.mjsbuild:macos-packagenode ./scripts/build-macos-package.mjsbuild:uipnpm --filter @guildhall/ui buildcleanrm -rf distdevnode ./build.mjs --watchdev:hermes:installnode ./scripts/install-hermes-dev.mjsdev:installnode ./scripts/dev-install.mjsdev:uninstallnode ./scripts/dev-uninstall.mjsdocs:buildnpm run docs:check-copy && npm run docs:extract-help && vitepress build docsdocs:check-copynode scripts/check-public-copy-voice.mjsdocs:check-help-syncnode scripts/check-help-sync.mjsdocs:devnpm run docs:extract-help && vitepress dev docsdocs:extract-helppnpm docs:prepare-versions && node scripts/extract-help-topics.mjsdocs:prepare-versionsnode scripts/prepare-versioned-docs.mjsdocs:previewvitepress preview docslint:contractsnode scripts/contract-touch-detector.mjslint:data-layernode scripts/data-layer-guardrails.mjslint:depsdepcruise srclint:designnode scripts/design-token-audit.mjslint:reductionsnode scripts/reduction-guardrails.mjsmemory:mastra:auditpnpm build && node dist/cli.js memory mastra-auditmemory:mastra:value-gatenode scripts/prototype-mastra-memory-value-gate.mjsmemory:migratenode scripts/migrations/0.8.0-project-state.mjsmodel:bakeoffnode scripts/model-bakeoff.mjsreleasenode scripts/publish.mjs 0.10.0- …and 13 more.
Dependencies12
@hono/node-server^1.14.1@inquirer/prompts^7.4.0@mastra/core^1.41.0@mastra/libsql^1.12.1@mastra/memory^1.20.2@modelcontextprotocol/sdk^1.19.0hono^4.7.7js-yaml^4.1.0lucide-svelte~1.0.1marked~18.0.2yaml^2.6.1zod^3.24.1