PkgRadar

Package evidence

[email protected]

Credential file access: matched "id_rsa"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
3,726Niche · −30% score
Versions published
80
First published
May 2026
Publisher
taesoopark

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishertaesoopark
Artifact bytes2,564,539
Previous version6.2.0
Published2026-06-16T15:21:01.541Z
SHA-2566e067503d9a3b073315a3658041442981f566509ca8a9c0278b4942cb198bf49

Why flagged

What the scanner saw

Credential file access: matched "id_rsa"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
6.3.0Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lattice_brain/graph/_kg_common.pymatched "id_rsa"5
lowMessenger Bot Endpointpackage/latticeai/cli/entrypoint.pymatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5
lowMessenger Bot Endpointpackage/latticeai/integrations/telegram_bot.pymatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5

Manifest

Package metadata

Scripts31
  • buildnpm run build:assets && npm run build:python
  • build:assetsvite build && node scripts/build_frontend_assets.mjs
  • build:pythonnode scripts/run_python.mjs -m build
  • check:pythonnode scripts/run_python.mjs scripts/check_python.py
  • desktop:electronelectron desktop/electron/main.cjs
  • desktop:tauritauri dev
  • desktop:tauri:buildtauri build
  • desktop:tauri:checkcd src-tauri && cargo check
  • devpython3 ltcai_cli.py --reload
  • docs:check-linksnode scripts/check_markdown_links.mjs
  • frontend:devvite --host 127.0.0.1
  • frontend:openapinode scripts/run_python.mjs scripts/export_openapi.py frontend/openapi.json && npx openapi-typescript frontend/openapi.json -o frontend/src/api/openapi.ts
  • lintnode --check tests/visual/mock_server.cjs && node --check tests/visual/v3.spec.js && npm run lint:frontend && node scripts/check_i18n_literals.mjs
  • lint:frontendnode scripts/lint_frontend.mjs
  • package:vsixnode scripts/build_vsix.mjs
  • publish:allnpm run release:artifacts && npm run release:validate && npm publish ltcai-$npm_package_version.tgz --access public && node scripts/run_python.mjs -m twine upload --skip-existing dist/ltcai-$npm_package_version.tar.gz dist/ltcai-$npm_package_version-py3-none-any.whl && cd vscode-extension && npm run publish:vscode && npm run publish:openvsx
  • publish:npmnpm pack && npm publish ltcai-$npm_package_version.tgz --access public
  • publish:openvsxcd vscode-extension && npm run package:vsix && npm run publish:openvsx
  • publish:pypinpm run build:python && node scripts/run_python.mjs -m twine upload --skip-existing dist/ltcai-$npm_package_version.tar.gz dist/ltcai-$npm_package_version-py3-none-any.whl
  • publish:vscodecd vscode-extension && npm run package:vsix && npm run publish:vscode
  • release:artifactsnode scripts/clean_release_artifacts.mjs $npm_package_version && npm run build:assets && npm run build:python && npm pack && npm run package:vsix && npm run desktop:tauri:build
  • release:smokenode scripts/run_python.mjs scripts/release_smoke.py $npm_package_version
  • release:validatenode scripts/run_python.mjs scripts/validate_release_artifacts.py $npm_package_version --require-vsix --require-tgz --require-dmg
  • startLTCAI
  • testnode scripts/run_python.mjs -m pytest tests/ -v
  • test:integrationnode scripts/run_integration_tests.mjs
  • test:unitnode scripts/run_python.mjs -m pytest tests/unit/ -v
  • test:visualplaywright test
  • typechecknpm run typecheck:frontend && cd vscode-extension && npm run build
  • typecheck:frontendnpx tsc -p tsconfig.json --noEmit
  • …and 1 more.