Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 65
- First published
- Apr 2026
- Publisher
- razroo
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="node bin/sync.mjs"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 5 · status available -> available, risk review -> review, score 3 -> 5
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="node bin/sync.mjs" | 5 |
Manifest
Package metadata
Scripts121
build:configiso build .build:dashboardcd dashboard && go build .cache:getnode bin/job-forge.mjs cache:getcache:hasnode bin/job-forge.mjs cache:hascache:keynode bin/job-forge.mjs cache:keycache:listnode bin/job-forge.mjs cache:listcache:prunenode bin/job-forge.mjs cache:prunecache:putnode bin/job-forge.mjs cache:putcache:statusnode bin/job-forge.mjs cache:statuscache:verifynode bin/job-forge.mjs cache:verifycanon:comparenode bin/job-forge.mjs canon:comparecanon:explainnode bin/job-forge.mjs canon:explaincanon:keynode bin/job-forge.mjs canon:keycanon:normalizenode bin/job-forge.mjs canon:normalizecapabilities:checknode bin/job-forge.mjs capabilities:checkcapabilities:explainnode bin/job-forge.mjs capabilities:explaincapabilities:listnode bin/job-forge.mjs capabilities:listcapabilities:rendernode bin/job-forge.mjs capabilities:rendercontext:checknode bin/job-forge.mjs context:checkcontext:explainnode bin/job-forge.mjs context:explaincontext:listnode bin/job-forge.mjs context:listcontext:plannode bin/job-forge.mjs context:plancontext:rendernode bin/job-forge.mjs context:renderdedupnode dedup-tracker.mjsfacts:buildnode bin/job-forge.mjs facts:buildfacts:checknode bin/job-forge.mjs facts:checkfacts:explainnode bin/job-forge.mjs facts:explainfacts:hasnode bin/job-forge.mjs facts:hasfacts:querynode bin/job-forge.mjs facts:queryfacts:statusnode bin/job-forge.mjs facts:status- …and 91 more.
Dependencies22
@agent-pattern-labs/iso-cache^0.1.1@agent-pattern-labs/iso-canon^0.1.1@agent-pattern-labs/iso-capabilities^0.1.1@agent-pattern-labs/iso-context^0.1.1@agent-pattern-labs/iso-contract^0.1.1@agent-pattern-labs/iso-facts^0.1.1@agent-pattern-labs/iso-guard^0.1.1@agent-pattern-labs/iso-index^0.1.1@agent-pattern-labs/iso-ledger^0.1.1@agent-pattern-labs/iso-lineage^0.1.1@agent-pattern-labs/iso-migrate^0.1.1@agent-pattern-labs/iso-orchestrator^0.2.1@agent-pattern-labs/iso-postflight^0.1.1@agent-pattern-labs/iso-preflight^0.1.1@agent-pattern-labs/iso-prioritize^0.1.1@agent-pattern-labs/iso-receipts^0.1.0@agent-pattern-labs/iso-redact^0.1.1@agent-pattern-labs/iso-score^0.1.1@agent-pattern-labs/iso-timeline^0.1.1@agent-pattern-labs/iso-trace^0.5.1@geometra/mcp1.62.3playwright^1.58.1