Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 492
Versions published: 222Established · −30% score
First published: Jul 2025
Publisher: farajabien

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherfarajabien

Artifact bytes1,442,429

Previous version4.2.34

Published2026-05-25T10:41:09.815Z

SHA-256166efb8f98a1dfe123eb5801604343693de17c0085294e6bd7b075f244ede2a0

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

23d agoLast checked

reviewRisk

52Score

4.2.35Version

Status history (1 event)

new → available23d ago · risk review · score 52 · status changed

Evidence

Static findings

16 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/config/dependencies.json	matched "curl "	12

Show all 16 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/config/dependencies.json	matched "curl "	12
low	Credential file access	package/dist/utils/geminiClient.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/commands/generate-screens.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/commands/generate-todos.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/utils/githubModelsClient.js	matched ".azure"	5
low	Credential file access	package/dist/commands/init.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/clients/MyContextAIClient.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/agents/implementations/ProjectSetupAgent.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/commands/setup-mcp.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/dist/commands/setup.js	matched "GITHUB_TOKEN"	5
low	Obfuscation	package/dist/commands/generate-screens.js	matched "Buffer.from(result.screenshot, \"base64"	3
low	Obfuscation	package/dist/agents/implementations/QASubAgent.js	matched "eval("	3
low	Obfuscation	package/dist/commands/review-context.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/agents/implementations/SecurityAgent.js	matched "eval("	3
low	Obfuscation	package/dist/agents/implementations/SolverAgent.js	matched "eval("	3
low	Obfuscation	package/dist/utils/spinner.js	matched "\\x1b"	3

Manifest

Package metadata

Scripts16

buildnpm run build:clean && npm run build:compile && npm run build:alias && npm run build:copy
build:alias([ "$npm_config_loglevel" = "silent" ] || echo '🔗 Resolving path aliases...') && tsc-alias
build:cleanrm -rf dist && ([ "$npm_config_loglevel" = "silent" ] || echo '🧹 Cleaned build directory')
build:compile([ "$npm_config_loglevel" = "silent" ] || echo '🔨 Compiling TypeScript...') && tsc --noEmitOnError false
build:copy([ "$npm_config_loglevel" = "silent" ] || echo '📋 Copying config files...') && cp -r src/config dist/ && cp -r src/templates dist/ && chmod +x dist/cli.js && ([ "$npm_config_loglevel" = "silent" ] || echo '✅ Build complete')
devts-node src/cli.ts
linteslint "src/**/*.ts" --quiet
lint:fixeslint "src/**/*.ts" --fix --quiet
prepublishOnlyecho 'Skipping tests and lint for now' && npm run build
startnode dist/cli.js
testjest --passWithNoTests
test:coveragejest --coverage --passWithNoTests
test:integrationjest --testPathPattern=integration --passWithNoTests
test:unitjest --testPathPattern='unit|core/' --passWithNoTests
test:watchjest --watch --passWithNoTests
watchtsc --watch --pretty

Dependencies36

@anthropic-ai/claude-agent-sdk^0.1.1
@google-cloud/vertexai^1.10.0
@google/generative-ai^0.24.1
@huggingface/inference^4.11.1
@modelcontextprotocol/sdk^1.26.0
@mycontext/tui-chatworkspace:*
@myycontext/coreworkspace:*
@playwright/test^1.58.2
@types/figlet^1.7.0
@types/handlebars^4.1.0
axios^1.6.0
chalk^5.6.2
clipboardy^5.3.1
commander^11.1.0
diff^8.0.2
dotenv^17.2.3
dotenv-expand^12.0.3
figlet^1.9.3
fs-extra^11.3.2
fuse.js^7.1.0
glob^10.3.10
gradient-string^3.0.0
handlebars^4.7.8
inquirer^9.2.12
js-yaml^4.1.1
mdast-util-to-markdown^2.1.2
node-fetch^2.7.0
openai^6.2.0
ora^7.0.1
playwright^1.58.2
…and 6 more.