Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 2904 · status changed
Related candidates
Linked campaigns and clusters
Credential file access — matched ".AZURE"
45 members · evidence strength 90Credential file access — matched "KUBECONFIG"
30 members · evidence strength 90Install Lifecycle Suppresses Failure — prepare="command -v git >/dev/null 2>&1 && git rev-parse --is-inside-work-tree >/dev/null 2>&1 && git config core.hooksPath git-hooks || exit 0"
17 members · evidence strength 90Evidence
Static findings
284 static · 0 from release diff · showing high-signal first.
Showing 30 of 91 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/advertiser-DjgV5_k-.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/auth-aatOWW4D.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/auth-BXReeF2O.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/bonjour-discovery-DJOeAqVy.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-bridges-C2EBvFK4.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-open-BTGCmG6r.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/channel.runtime-KvZn8_hb.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/client-Du4bZd9P.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/client-hKay7jF9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/config-CcQ2HijN.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/diagnostic-support-redaction-GWib8H_y.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/discover-D-qkctw-.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/dist-cjs-Br3PVdcX2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-C2ZL4MkQ.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/dist-cjs-C8qzoy46.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-CVaUaZ1m.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D0ote1dm2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D7QErCJt.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/dist-cjs-sku9Z-qB2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-ulAL16eF.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-DBYzTIU1.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/dist-Dh8IiMKH.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-vtDI3Kho.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/doctor-auth-flat-profiles-Dg2COqHG.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/event-streams-j-n_zxDn.js | matched ".Aws" | 30 |
| high | DNS / OAST exfiltration | package/dist/fetch-Dy1LisTE.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/gateway-discovery-targets-FNcBbrXr.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/gateway-status-DcXm_aLz.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/host-env-security-66KkrZF_.js | matched "KUBECONFIG" | 30 |
| high | Credential file access | package/dist/httpAuthSchemes-0G32ph_d.js | matched ".aws" | 30 |
Show all 284 findings (low-signal and informational)
Showing 60 of 284 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/advertiser-DjgV5_k-.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/auth-aatOWW4D.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/auth-BXReeF2O.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/bonjour-discovery-DJOeAqVy.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-bridges-C2EBvFK4.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-open-BTGCmG6r.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/channel.runtime-KvZn8_hb.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/client-Du4bZd9P.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/client-hKay7jF9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/config-CcQ2HijN.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/diagnostic-support-redaction-GWib8H_y.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/discover-D-qkctw-.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/dist-cjs-Br3PVdcX2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-C2ZL4MkQ.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/dist-cjs-C8qzoy46.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-CVaUaZ1m.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D0ote1dm2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D7QErCJt.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/dist-cjs-sku9Z-qB2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-ulAL16eF.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-DBYzTIU1.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/dist-Dh8IiMKH.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-vtDI3Kho.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/doctor-auth-flat-profiles-Dg2COqHG.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/event-streams-j-n_zxDn.js | matched ".Aws" | 30 |
| high | DNS / OAST exfiltration | package/dist/fetch-Dy1LisTE.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/gateway-discovery-targets-FNcBbrXr.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/gateway-status-DcXm_aLz.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/host-env-security-66KkrZF_.js | matched "KUBECONFIG" | 30 |
| high | Credential file access | package/dist/httpAuthSchemes-0G32ph_d.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/image-generation-provider-DyUnxpyv.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/extensions/bonjour/index.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/extensions/github-copilot/index.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/install-package-dir-CRDuBtnD.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/model-auth-Db-JGIrg.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/model-auth-markers-Cf78z2Zm.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/model-auth-runtime-shared-cdTr1v5l.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/npm-install-env-BDr63VWf.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/npm-managed-root-rRx0glyx.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/onboard-0cAnqwjh.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/onboard-custom-config-Bi3WrYnQ.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/onboard-helpers-BaLdeEkj.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/onboard-remote-DR5OaRwp.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/openai-transport-stream-Pgx5hpN7.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/provider-contract-api-B5_Torho.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 30 |
| high | DNS / OAST exfiltration | package/dist/provider-gq-PTbiG.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/plugin-sdk/provider-test-contracts.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/realtime-voice-provider-DCrldkS6.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/remote-env-CBc5PaHP.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/runtime-config-collectors-CX76Hnah.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/runtime-schema-pPVn7_7T.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/service-DPmdIkJ0.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/shared-BspuLN8V.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/signin-BbKPpE27.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/speech-provider-BcNV6B1g.js | matched ".AZURE" | 30 |
| high | Credential file access | package/dist/src-B1sC_XUd.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/ssh-config-DXFPABYp.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/sso-oidc-KPZHYfun.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/sts-COigtJA9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/transport-policy-WBv_n2Q-.js | matched ".azure" | 30 |
Manifest
Package metadata
Scripts429
android:assemblecd apps/android && ./gradlew :app:assemblePlayDebugandroid:assemble:third-partycd apps/android && ./gradlew :app:assembleThirdPartyDebugandroid:bundle:releasebun apps/android/scripts/build-release-aab.tsandroid:formatcd apps/android && ./gradlew :app:ktlintFormat :benchmark:ktlintFormatandroid:installcd apps/android && ./gradlew :app:installPlayDebugandroid:install:third-partycd apps/android && ./gradlew :app:installThirdPartyDebugandroid:lintcd apps/android && ./gradlew :app:ktlintCheck :benchmark:ktlintCheckandroid:lint:androidcd apps/android && ./gradlew :app:lintDebugandroid:runcd apps/android && ./gradlew :app:installPlayDebug && adb shell am start -n ai.openclaw.app/.MainActivityandroid:run:third-partycd apps/android && ./gradlew :app:installThirdPartyDebug && adb shell am start -n ai.openclaw.app/.MainActivityandroid:testcd apps/android && ./gradlew :app:testPlayDebugUnitTestandroid:test:integrationOPENCLAW_LIVE_TEST=1 OPENCLAW_LIVE_ANDROID_NODE=1 node scripts/run-vitest.mjs run --config test/vitest/vitest.live.config.ts src/gateway/android-node.capabilities.live.test.tsandroid:test:third-partycd apps/android && ./gradlew :app:testThirdPartyDebugUnitTestaudit:seamsnode scripts/audit-seams.mjsbuildnode scripts/build-all.mjsbuild:ci-artifactsnode scripts/build-all.mjs ciArtifactsbuild:dockernode scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm plugins:assets:build && pnpm plugins:assets:copy && node --experimental-strip-types scripts/copy-hook-metadata.ts && node --experimental-strip-types scripts/copy-export-html-templates.ts && node --experimental-strip-types scripts/write-build-info.ts && node --experimental-strip-types scripts/write-cli-startup-metadata.ts && node --experimental-strip-types scripts/write-cli-compat.tsbuild:plugin-sdk:dtsnode scripts/run-tsgo.mjs -p tsconfig.plugin-sdk.dts.json --declaration truebuild:plugin-sdk:strict-smokepnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.tsbuild:strict-smokepnpm plugins:assets:build && node scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts && node scripts/check-plugin-sdk-exports.mjscanvas:a2ui:bundlenode scripts/bundle-a2ui.mjschanged:lanesnode scripts/changed-lanes.mjschecknode scripts/check.mjscheck:architecturepnpm check:import-cycles && pnpm check:madge-import-cycles && pnpm check:deprecated-api-usage && pnpm check:deprecated-jsdoccheck:base-config-schemanode --import tsx scripts/generate-base-config-schema.ts --checkcheck:bundled-channel-config-metadatanode --import tsx scripts/generate-bundled-channel-config-metadata.ts --checkcheck:changednode scripts/check-changed.mjscheck:changelog-attributionsnode scripts/check-changelog-attributions.mjscheck:deprecated-api-usagenode scripts/check-deprecated-api-usage.mjscheck:deprecated-jsdocnode scripts/check-deprecated-jsdoc.mjs- …and 399 more.
Dependencies50
@agentclientprotocol/sdk0.22.1@clack/core1.3.1@clack/prompts1.4.0@earendil-works/pi-agent-core0.75.4@earendil-works/pi-ai0.75.4@earendil-works/pi-coding-agent0.75.4@earendil-works/pi-tui0.75.4@google/genai2.5.0@grammyjs/runner2.0.3@grammyjs/transformer-throttler1.2.1@homebridge/ciao1.3.8@lydell/node-pty1.2.0-beta.12@modelcontextprotocol/sdk1.29.0@mozilla/readability0.6.0@openclaw/fs-safe0.2.7@openclaw/proxyline0.3.3ajv8.20.0chalk5.6.2chokidar5.0.0commander14.0.3croner10.0.1dotenv17.4.2express5.2.1file-type22.0.1grammy1.43.0ipaddr.js2.4.0jiti2.7.0json52.2.3jszip3.10.1kysely0.29.2- …and 20 more.
Optional dependencies2
sharp0.34.5sqlite-vec0.1.9