Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 11
- First published
- Mar 2026
- Publisher
- manager-aijishu
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 29 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/install/jishu-install.sh | matched "curl " | 12 |
| medium | Remote Payload | package/install/jishu-uninstall.sh | matched "curl " | 12 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/install/jishu-install.sh | matched "curl " | 12 |
| medium | Remote Payload | package/install/jishu-uninstall.sh | matched "curl " | 12 |
| low | Install-time lifecycle script | package.json | postinstall="bash install/post-install.sh" | 5 |
Manifest
Package metadata
Scripts33
buildnpm install && tsc && cd frontend && npm install && npm run buildbuild:backendnpm install && tscbuild:frontendcd frontend && npm install && npm run buildbuild:packnpm run build && npm packcheck:app-specnode scripts/check-app-spec.mjscheck:contractsnode --experimental-strip-types scripts/check-adapter-isolation.ts && node scripts/check-colima-launchd.mjscheck:i18nnode scripts/check-i18n.mjscheck:new-file-testsnode scripts/check-new-file-tests.mjscheck:quarantinenode scripts/check-quarantine-expiry.mjscompilenpm run compile:backend && npm --prefix frontend run buildcompile:backendtscdevtsc --watchlintnpx biome check .lint:fixnpx biome check --fix .postinstallbash install/post-install.shpreparegit config core.hooksPath .githooks 2>/dev/null || trueprepublishOnlynpm run build && chmod +x dist/cli.jspreuninstallbash install/post-uninstall.shstartnode dist/cli.js servetestvitest runtest:changedvitest run --changedtest:cinpm run check:contracts && npm run build:backend && vitest run --coverage && cd frontend && npm install && npm run testtest:ci:backendvitest run --coverage --reporter=default --reporter=junit --outputFile.junit=test-results/backend-junit.xmltest:ci:frontendnpm --prefix frontend run test -- --reporter=default --reporter=junit --outputFile.junit=test-results/frontend-junit.xmltest:ci:fullnpm run test:ci && vitest run --config vitest.e2e-real.config.tstest:coveragevitest run --coveragetest:e2e:realnpm run build:backend && vitest run --config vitest.e2e-real.config.tstest:e2e:real:verbosenpm run build:backend && vitest run --config vitest.e2e-real.config.ts --reporter=verbosetest:integrationvitest run tests/integrationtest:mutationstryker run- …and 3 more.
Dependencies9
@fastify/multipart^10.0.0@fastify/static^8.1.0@noble/hashes^2.0.1bcryptjs^2.4.3exifr^7.1.3fastify^5.2.0jsonwebtoken^9.0.2systeminformation^5.23.0yaml^2.8.3
Optional dependencies1
macos-temperature-sensor^1.0.4