PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
238
Versions published
224Established · −30% score
First published
Jul 2025
Publisher
farajabien

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherfarajabien
Artifact bytes1,473,080
Previous version4.2.35
Published2026-05-28T00:55:49.864Z
SHA-2564aa4c01dc74742315fc49643cd85bcc4f6d35c5707bd05de830d2e5776e2fa77

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
39Score
4.2.36Version
Status history (1 event)
  1. newavailable · risk review · score 39 · status changed

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/config/dependencies.jsonmatched "curl "12
Show all 10 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/config/dependencies.jsonmatched "curl "12
lowCredential file accesspackage/dist/utils/geminiClient.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/commands/generate-screens.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/commands/generate-todos.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/utils/githubModelsClient.jsmatched ".azure"5
lowCredential file accesspackage/dist/commands/init.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/clients/MyContextAIClient.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/agents/implementations/ProjectSetupAgent.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/commands/setup-mcp.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/commands/setup.jsmatched "GITHUB_TOKEN"5

Manifest

Package metadata

Scripts16
  • buildnpm run build:clean && npm run build:compile && npm run build:alias && npm run build:copy
  • build:alias([ "$npm_config_loglevel" = "silent" ] || echo '🔗 Resolving path aliases...') && tsc-alias
  • build:cleanrm -rf dist && ([ "$npm_config_loglevel" = "silent" ] || echo '🧹 Cleaned build directory')
  • build:compile([ "$npm_config_loglevel" = "silent" ] || echo '🔨 Compiling TypeScript...') && tsc --noEmitOnError false
  • build:copy([ "$npm_config_loglevel" = "silent" ] || echo '📋 Copying config files...') && cp -r src/config dist/ && cp -r src/templates dist/ && chmod +x dist/cli.js && ([ "$npm_config_loglevel" = "silent" ] || echo '✅ Build complete')
  • devts-node src/cli.ts
  • linteslint "src/**/*.ts" --quiet
  • lint:fixeslint "src/**/*.ts" --fix --quiet
  • prepublishOnlyecho 'Skipping tests and lint for now' && npm run build
  • startnode dist/cli.js
  • testjest --passWithNoTests
  • test:coveragejest --coverage --passWithNoTests
  • test:integrationjest --testPathPattern=integration --passWithNoTests
  • test:unitjest --testPathPattern='unit|core/' --passWithNoTests
  • test:watchjest --watch --passWithNoTests
  • watchtsc --watch --pretty
Dependencies36
  • @anthropic-ai/claude-agent-sdk^0.1.1
  • @google-cloud/vertexai^1.10.0
  • @google/generative-ai^0.24.1
  • @huggingface/inference^4.11.1
  • @modelcontextprotocol/sdk^1.26.0
  • @mycontext/tui-chatworkspace:*
  • @myycontext/coreworkspace:*
  • @playwright/test^1.58.2
  • @types/figlet^1.7.0
  • @types/handlebars^4.1.0
  • axios^1.6.0
  • chalk^5.6.2
  • clipboardy^5.3.1
  • commander^11.1.0
  • diff^8.0.2
  • dotenv^17.2.3
  • dotenv-expand^12.0.3
  • figlet^1.9.3
  • fs-extra^11.3.2
  • fuse.js^7.1.0
  • glob^10.3.10
  • gradient-string^3.0.0
  • handlebars^4.7.8
  • inquirer^9.2.12
  • js-yaml^4.1.1
  • mdast-util-to-markdown^2.1.2
  • node-fetch^2.7.0
  • openai^6.2.0
  • ora^7.0.1
  • playwright^1.58.2
  • …and 6 more.