Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 7,139Niche · −30% score
- Versions published
- 448
- First published
- Jan 2026
- Publisher
- asklokesh
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 45 · status changed
Evidence
Static findings
9 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/autonomy/app-runner.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/notify.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/sandbox.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/serve.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/telemetry.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/voice.sh | matched "curl " | 12 |
Show all 9 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/autonomy/app-runner.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/notify.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/sandbox.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/serve.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/telemetry.sh | matched "curl " | 12 |
| medium | Remote Payload | package/autonomy/voice.sh | matched "curl " | 12 |
| low | Credential file access | package/autonomy/lib/proof_redact.py | matched "aws_secret_access_key" | 5 |
| low | Credential file access | package/autonomy/issue-providers.sh | matched ".azure\\" | 5 |
| low | Credential file access | package/autonomy/sandbox.sh | matched ".ssh/" | 5 |
Manifest
Package metadata
Scripts8
prepackfind . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; if command -v bun >/dev/null 2>&1; then (cd loki-ts && bun install --production && bun run build) || echo 'WARN: loki-ts build failed, using existing dist if present'; else echo 'WARN: bun not on PATH, skipping loki-ts build (using committed dist if present)'; fi; trueprepublishOnlycd dashboard-ui && npm ci && npm run build:all && test -f ../dashboard/static/index.html && cd ../web-app && npm ci && npm run build && test -f dist/index.html && grep -q /lab/assets/ dist/index.htmltestbash -n autonomy/run.sh && bash -n autonomy/loki && bash -n autonomy/completion-council.sh && bash -n autonomy/app-runner.sh && bash -n autonomy/prd-checklist.sh && bash -n autonomy/playwright-verify.sh && node --test tests/protocols/*.test.js && node --test tests/protocols/a2a/*.test.js && node --test tests/observability/*.test.js && node --test tests/policies/*.test.js && node --test tests/audit/*.test.js && node --test tests/integrations/*.test.js && node --test tests/integrations/jira/*.test.js && node --test tests/integrations/github/*.test.js && node --test tests/integrations/slack/*.test.js && bash tests/managed_memory/test_flag_matrix.sh && bash tests/managed_memory/test_sdk_isolation.sh && bash tests/managed_memory/test_kill_switch.sh && python3 -m unittest tests.managed_memory.test_shadow_write_mock tests.managed_memory.test_retrieve_mock && echo 'All checks passed'test:dashboardnpm run test:visual && npm run test:paritytest:integrationbash tests/integration/run_integration_suite.shtest:paritynode --experimental-vm-modules dashboard-ui/scripts/check-parity.jstest:parity:jsonnode --experimental-vm-modules dashboard-ui/scripts/check-parity.js --jsontest:visualnode --experimental-vm-modules node_modules/jest/bin/jest.js dashboard-ui/tests/visual-regression.test.js
Optional dependencies4
@opentelemetry/api^1.9.0@opentelemetry/exporter-trace-otlp-http^0.57.0@opentelemetry/sdk-trace-base^1.30.0@opentelemetry/sdk-trace-node^1.30.0