PkgRadar

Package evidence

[email protected]

Remote Payload: matched "cUrl "

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherpeiiii
Artifact bytes735,547
Previous version0.19.26
Published2026-05-23T13:54:47.426Z
SHA-25606118e9e6a646c77f02dd5c146c0b1a43f01a11006c2a388ea094e00c2ac56cd

Why flagged

What the scanner saw

Remote Payload: matched "cUrl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
21Score
0.19.27Version
Status history (1 event)
  1. newavailable · risk review · score 21 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/app/index.jsmatched "cUrl "12
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/app/index.jsmatched "cUrl "12
lowObfuscationpackage/ui-dist/assets/api-rASx2-N4.jsmatched "\\u00C0"3
lowObfuscationpackage/ui-dist/assets/cpu-DKc3bQic.jsmatched "\\u0026"3
lowObfuscationpackage/ui-dist/assets/index-Db9Cufsy.jsmatched "\\xA0"3

Manifest

Package metadata

Scripts10
  • buildnode scripts/sync-usage-resource.mjs && tsdown src/index.ts src/cli/app/index.ts src/cli/launcher/index.ts --dts.sourcemap --clean --target es2022 --no-fixedExtension && node scripts/copy-ui-dist.mjs
  • devtsx watch --tsconfig ../../scripts/dev/dev-runtime.tsconfig.json src/cli/app/index.ts
  • dev:buildtsx --tsconfig ../../scripts/dev/dev-runtime.tsconfig.json src/cli/app/index.ts
  • linteslint .
  • runtime-update:buildnode scripts/build-npm-runtime-update-channel.mjs
  • smoke:npm-runtime-updatenode scripts/smoke-npm-runtime-update.mjs
  • startnode dist/cli/app/index.js
  • testvitest
  • tsctsc -p tsconfig.json
  • validation:npm-updatenode scripts/smoke-npm-runtime-update.mjs --manual
Dependencies19
  • @nextclaw/core0.12.23
  • @nextclaw/kernel0.1.13
  • @nextclaw/mcp0.1.88
  • @nextclaw/ncp0.5.16
  • @nextclaw/ncp-agent-runtime0.3.27
  • @nextclaw/ncp-mcp0.1.90
  • @nextclaw/ncp-toolkit0.5.21
  • @nextclaw/nextclaw-hermes-acp-bridge0.1.15
  • @nextclaw/nextclaw-ncp-runtime-http-client0.1.15
  • @nextclaw/nextclaw-ncp-runtime-stdio-client0.1.16
  • @nextclaw/openclaw-compat1.0.23
  • @nextclaw/remote0.1.101
  • @nextclaw/runtime0.2.55
  • @nextclaw/server0.12.24
  • @nextclaw/service0.1.16
  • chokidar^3.6.0
  • commander^12.1.0
  • jszip^3.10.1
  • yaml^2.8.1