Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 2,575Mature · −50% score
- First published
- Oct 2012
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".aws/"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 21 · status changed
Evidence
Static findings
19 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 19 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/node/services/agentSkills/builtInSkillContent.generated.js | matched ".aws/" | 5 |
| low | Credential file access | package/dist/node/config.test.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/node/services/tools/fileCommon.test.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/index-ENxkEMuN.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/node/services/projectService.test.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/node/utils/providerRequirements.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/common/orpc/schemas/runtime.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/ssh-config-_ykCGR6B.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/ssh-config-CywOjoXH.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/node/runtime/SSH2ConnectionPool.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/node/runtime/sshAskpass.test.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/node/runtime/sshConnectionPool.test.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/node/services/terminalService.test.js | matched ".ssh/" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="sh scripts/postinstall.sh" | 5 |
| low | Obfuscation Density | package/dist/chunk-B4BG7PRW-CygcNljY.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/flowDiagram-NV44I4VS-Bb7NQIGS.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/main-2tS15tCC.js | 7627457 bytes | 0 |
| low | Obfuscation Density | package/npm-shrinkwrap.json | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/cli/api.mjs | 4971591 bytes | 0 |
Manifest
Package metadata
Scripts28
buildmake builddebugbun src/cli/debug/index.tsdevmake devdistmake distdist:linuxmake dist-linuxdist:macmake dist-macdist:winmake dist-windocsmake docsdocs:servemake docs-serverdocs:watchmake docs-watchfmtmake fmtfmt:checkmake fmt-checkfmt:shellmake fmt-shelllintmake lintlint:fixmake lint-fixpostinstallsh scripts/postinstall.shprebuild:main./scripts/generate-version.shstartmake startstorybookmake storybookstorybook:buildmake storybook-buildtestmake testtest:coveragemake test-coveragetest:e2emake test-e2etest:integrationmake test-integrationtest:mobilemake test-mobiletest:storybookmake test-storybooktest:watchmake test-watchtypecheckmake typecheck
Dependencies99
@1password/sdk^0.4.0@agentclientprotocol/sdk^0.25.0@ai-sdk/amazon-bedrock^4.0.101@ai-sdk/anthropic^3.0.82@ai-sdk/deepseek^2.0.33@ai-sdk/google^3.0.68@ai-sdk/mcp^1.0.40@ai-sdk/openai^3.0.62@ai-sdk/openai-compatible^2.0.46@ai-sdk/xai^3.0.88@aws-sdk/credential-providers^3.940.0@dnd-kit/core^6.3.1@dnd-kit/sortable^10.0.0@dnd-kit/utilities^3.2.2@duckdb/node-api^1.4.4-r.1@homebridge/ciao^1.3.4@jitl/quickjs-wasmfile-release-asyncify^0.31.0@lydell/node-pty1.1.0@mozilla/readability^0.6.0@novnc/novnc^1.6.0@openrouter/ai-sdk-provider^2.9.0@orpc/client^1.11.3@orpc/openapi^1.12.2@orpc/server^1.11.3@orpc/zod^1.11.3@radix-ui/react-checkbox^1.3.3@radix-ui/react-context-menu^2.2.16@radix-ui/react-dialog^1.1.15@radix-ui/react-hover-card^1.1.15@radix-ui/react-label^2.1.8- …and 69 more.
Optional dependencies2
electron^40.9.3node-pty1.1.0-beta39