Package evidence
[email protected]
Remote Dependency Spec: optionalDependencies.@kuzushi/tob-skills="github:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 12
- Versions published
- 22
- First published
- Feb 2026
- Publisher
- snejad123
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: postinstall added in 0.24.0-alpha.4 vs 0.20.0: "node scripts/check-native-bindings.mjs"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 245 · status changed
Evidence
Static findings
5 static · 5 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 0.24.0-alpha.4 vs 0.20.0: "node scripts/check-native-bindings.mjs" | 40 |
| high | Remote Dependency Spec | package.json | optionalDependencies.@kuzushi/tob-skills="github:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.@kuzushi/vuln-scout="github:allsmog/vuln-scout#79df9e804c6a87f0af3c779c55d2fcdb4675f49d" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.promptarmor-plugin="github:allsmog/promptarmor-plugin#690d60a5b4d2136206ef7dedd516d3fcfddd4db9" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.shinsa-plugin="github:allsmog/shinsa-plugin#74b3737d225970d849f5f6f57095cfe65ee7ccdf" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.@kuzushi/tob-skills added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.@kuzushi/vuln-scout added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/vuln-scout#79df9e804c6a87f0af3c779c55d2fcdb4675f49d" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.promptarmor-plugin added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/promptarmor-plugin#690d60a5b4d2136206ef7dedd516d3fcfddd4db9" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.shinsa-plugin added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/shinsa-plugin#74b3737d225970d849f5f6f57095cfe65ee7ccdf" | 35 |
Show all 10 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 0.24.0-alpha.4 vs 0.20.0: "node scripts/check-native-bindings.mjs" | 40 |
| high | Remote Dependency Spec | package.json | optionalDependencies.@kuzushi/tob-skills="github:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.@kuzushi/vuln-scout="github:allsmog/vuln-scout#79df9e804c6a87f0af3c779c55d2fcdb4675f49d" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.promptarmor-plugin="github:allsmog/promptarmor-plugin#690d60a5b4d2136206ef7dedd516d3fcfddd4db9" | 35 |
| high | Remote Dependency Spec | package.json | optionalDependencies.shinsa-plugin="github:allsmog/shinsa-plugin#74b3737d225970d849f5f6f57095cfe65ee7ccdf" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.@kuzushi/tob-skills added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.@kuzushi/vuln-scout added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/vuln-scout#79df9e804c6a87f0af3c779c55d2fcdb4675f49d" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.promptarmor-plugin added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/promptarmor-plugin#690d60a5b4d2136206ef7dedd516d3fcfddd4db9" | 35 |
| high | New Remote Dependency Vs Previous | package.json | optionalDependencies.shinsa-plugin added in 0.24.0-alpha.4 vs 0.20.0: "github:allsmog/shinsa-plugin#74b3737d225970d849f5f6f57095cfe65ee7ccdf" | 35 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/check-native-bindings.mjs" | 5 |
Manifest
Package metadata
Scripts51
benchmarktsx benchmarks/harness.tsbenchmark:difftsx benchmarks/sarif-diff.tsbenchmark:freezetsx benchmarks/freeze-baseline.tsbenchmark:regressiontsx benchmarks/regression-check.tsbenchmark:scoreboardtsx benchmarks/scoreboard.tsbuildtscbuild:cleanpnpm clean:dist && tscbuild:nativecargo build -p kuzushi-cli --release && node scripts/stage-native-binary.mjsbuild:rustcargo build --workspacecheckbiome check .check:circularmadge --ts-config tsconfig.json --extensions ts --circular src/check:docsnode scripts/check-port-contract.mjs && node scripts/check-public-identity.mjs && node scripts/check-doc-command-drift.mjs && node scripts/check-retired-ts-runtime.mjscheck:retired-ts-runtimenode scripts/check-retired-ts-runtime.mjscheck:typesnode scripts/typecheck-all.mjsclean:distnode -e "require('node:fs').rmSync('dist',{recursive:true,force:true})"codegentsx scripts/codegen/index.tscodegen:checktsx scripts/codegen/check.tscomplexitynode scripts/cyclomatic.mjs src --top 30 --min 20complexity:logicnode scripts/cyclomatic.mjs src --top 30 --min 20 --logic-onlydevcargo run -p kuzushi-clidev:rustcargo run -p kuzushi-clidoctorbash scripts/doctor.sheval:kuzushi-whitebox-staticnode --import tsx evals/kuzushi-whitebox-static/run.tsexport:sourcebash scripts/export-clean-source.shfixbiome check --write .fix:unsafebiome check --write --unsafe .formatbiome format .lintbiome lint .perftsx perf/harness.tspostinstallnode scripts/check-native-bindings.mjs- …and 21 more.
Dependencies16
@anthropic-ai/sdk^0.81.0@kuzushi/augur^0.1.0@langchain/anthropic^1.0.0@langchain/core^1.0.0@langchain/langgraph^1.0.0@langchain/mcp-adapters^1.0.0@langchain/openai^1.0.0better-sqlite3^12.8.0chalk^5.4.1commander^13.1.0langchain^1.0.0tinyglobby^0.2.15typescript^5.7.3undici^7.22.0yaml^2.7.0zod^4.3.6
Optional dependencies4
@kuzushi/tob-skillsgithub:allsmog/tob-security-skills#98dda39a53eb74b90d60f305c8523e47552a9fb2@kuzushi/vuln-scoutgithub:allsmog/vuln-scout#79df9e804c6a87f0af3c779c55d2fcdb4675f49dpromptarmor-plugingithub:allsmog/promptarmor-plugin#690d60a5b4d2136206ef7dedd516d3fcfddd4db9shinsa-plugingithub:allsmog/shinsa-plugin#74b3737d225970d849f5f6f57095cfe65ee7ccdf