Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 2904 · status changed
Related candidates
Linked campaigns and clusters
Credential file access — matched ".AZURE"
45 members · evidence strength 90Credential file access — matched "KUBECONFIG"
30 members · evidence strength 90Install Lifecycle Suppresses Failure — prepare="command -v git >/dev/null 2>&1 && git rev-parse --is-inside-work-tree >/dev/null 2>&1 && git config core.hooksPath git-hooks || exit 0"
17 members · evidence strength 90Evidence
Static findings
284 static · 0 from release diff · showing high-signal first.
Showing 30 of 91 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/advertiser-AGNGoR1M.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/auth-5EOqZ-jB.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/auth-Dzea_fyh.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/bonjour-discovery-CqNWdvaY.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-bridges-DtaaTw8I.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-open-3o-OXj9x.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/channel.runtime-CuPWUL9m.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/client-Du4bZd9P.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/client-hKay7jF9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/config-DCX8ekd9.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/diagnostic-support-redaction-CpvZtrrm.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/discover-VrRhuiSt.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/dist-cjs-Br3PVdcX2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-C2ZL4MkQ.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/dist-cjs-C8qzoy46.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-CVaUaZ1m.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D0ote1dm2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D7QErCJt.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/dist-cjs-sku9Z-qB2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-ulAL16eF.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-DBYzTIU1.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/dist-Dh8IiMKH.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-vtDI3Kho.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/doctor-auth-flat-profiles-C4pbGoEp.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/event-streams-j-n_zxDn.js | matched ".Aws" | 30 |
| high | DNS / OAST exfiltration | package/dist/fetch-LTgnnAII.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/gateway-discovery-targets-BPKcm1cb.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/gateway-status-bYtlvgoC.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/host-env-security-66KkrZF_.js | matched "KUBECONFIG" | 30 |
| high | Credential file access | package/dist/httpAuthSchemes-0G32ph_d.js | matched ".aws" | 30 |
Show all 284 findings (low-signal and informational)
Showing 60 of 284 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/advertiser-AGNGoR1M.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/auth-5EOqZ-jB.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/auth-Dzea_fyh.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/bonjour-discovery-CqNWdvaY.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-bridges-DtaaTw8I.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/browser-open-3o-OXj9x.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/channel.runtime-CuPWUL9m.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/client-Du4bZd9P.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/client-hKay7jF9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/config-DCX8ekd9.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/diagnostic-support-redaction-CpvZtrrm.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/discover-VrRhuiSt.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/dist-cjs-Br3PVdcX2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-C2ZL4MkQ.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/dist-cjs-C8qzoy46.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-CVaUaZ1m.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D0ote1dm2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-D7QErCJt.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/dist-cjs-sku9Z-qB2.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-cjs-ulAL16eF.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-DBYzTIU1.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/dist-Dh8IiMKH.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/dist-vtDI3Kho.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/doctor-auth-flat-profiles-C4pbGoEp.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/event-streams-j-n_zxDn.js | matched ".Aws" | 30 |
| high | DNS / OAST exfiltration | package/dist/fetch-LTgnnAII.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/gateway-discovery-targets-BPKcm1cb.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/gateway-status-bYtlvgoC.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/host-env-security-66KkrZF_.js | matched "KUBECONFIG" | 30 |
| high | Credential file access | package/dist/httpAuthSchemes-0G32ph_d.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/image-generation-provider-BSgprhA3.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/extensions/bonjour/index.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/extensions/github-copilot/index.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/install-package-dir-CNWBO-9R.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/model-auth-markers-BigDX9rI.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/model-auth-runtime-shared-cdTr1v5l.js | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/dist/model-auth-xstudKmn.js | matched ".AWS" | 30 |
| high | Credential file access | package/dist/npm-install-env-BDr63VWf.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/npm-managed-root-MCOeKjxj.js | matched ".npmrc" | 30 |
| high | Credential file access | package/dist/onboard-B8HO5Xsv.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/onboard-custom-config-D1YpA-HA.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/onboard-helpers-tGf6TuBg.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/onboard-remote-_SMNGBQA.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/openai-transport-stream-C2_3IYGt.js | matched ".azure" | 30 |
| high | DNS / OAST exfiltration | package/dist/provider-CGJq0LY3.js | matched "dns.lookup" | 30 |
| high | Credential file access | package/dist/provider-contract-api-B5_Torho.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 30 |
| high | Credential file access | package/dist/plugin-sdk/provider-test-contracts.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/realtime-voice-provider-DR49iRES.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/remote-env-CBc5PaHP.js | matched ".SSH" | 30 |
| high | Credential file access | package/dist/runtime-config-collectors-dwTZV3lr.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/runtime-schema-BGiKxMzX.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/service-wKnBHM00.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/shared-C5rSjly7.js | matched ".azure" | 30 |
| high | Credential file access | package/dist/signin-BbKPpE27.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/speech-provider-Cex7IREJ.js | matched ".AZURE" | 30 |
| high | Credential file access | package/dist/src-B1sC_XUd.js | matched ".Aws" | 30 |
| high | Credential file access | package/dist/ssh-config-DXFPABYp.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/sso-oidc-KPZHYfun.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/sts-COigtJA9.js | matched ".aws" | 30 |
| high | Credential file access | package/dist/transport-policy-WBv_n2Q-.js | matched ".azure" | 30 |
Manifest
Package metadata
Scripts429
android:assemblecd apps/android && ./gradlew :app:assemblePlayDebugandroid:assemble:third-partycd apps/android && ./gradlew :app:assembleThirdPartyDebugandroid:bundle:releasebun apps/android/scripts/build-release-aab.tsandroid:formatcd apps/android && ./gradlew :app:ktlintFormat :benchmark:ktlintFormatandroid:installcd apps/android && ./gradlew :app:installPlayDebugandroid:install:third-partycd apps/android && ./gradlew :app:installThirdPartyDebugandroid:lintcd apps/android && ./gradlew :app:ktlintCheck :benchmark:ktlintCheckandroid:lint:androidcd apps/android && ./gradlew :app:lintDebugandroid:runcd apps/android && ./gradlew :app:installPlayDebug && adb shell am start -n ai.openclaw.app/.MainActivityandroid:run:third-partycd apps/android && ./gradlew :app:installThirdPartyDebug && adb shell am start -n ai.openclaw.app/.MainActivityandroid:testcd apps/android && ./gradlew :app:testPlayDebugUnitTestandroid:test:integrationOPENCLAW_LIVE_TEST=1 OPENCLAW_LIVE_ANDROID_NODE=1 node scripts/run-vitest.mjs run --config test/vitest/vitest.live.config.ts src/gateway/android-node.capabilities.live.test.tsandroid:test:third-partycd apps/android && ./gradlew :app:testThirdPartyDebugUnitTestaudit:seamsnode scripts/audit-seams.mjsbuildnode scripts/build-all.mjsbuild:ci-artifactsnode scripts/build-all.mjs ciArtifactsbuild:dockernode scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm plugins:assets:build && pnpm plugins:assets:copy && node --experimental-strip-types scripts/copy-hook-metadata.ts && node --experimental-strip-types scripts/copy-export-html-templates.ts && node --experimental-strip-types scripts/write-build-info.ts && node --experimental-strip-types scripts/write-cli-startup-metadata.ts && node --experimental-strip-types scripts/write-cli-compat.tsbuild:plugin-sdk:dtsnode scripts/run-tsgo.mjs -p tsconfig.plugin-sdk.dts.json --declaration truebuild:plugin-sdk:strict-smokepnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.tsbuild:strict-smokepnpm plugins:assets:build && node scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts && node scripts/check-plugin-sdk-exports.mjscanvas:a2ui:bundlenode scripts/bundle-a2ui.mjschanged:lanesnode scripts/changed-lanes.mjschecknode scripts/check.mjscheck:architecturepnpm check:import-cycles && pnpm check:madge-import-cycles && pnpm check:deprecated-api-usage && pnpm check:deprecated-jsdoccheck:base-config-schemanode --import tsx scripts/generate-base-config-schema.ts --checkcheck:bundled-channel-config-metadatanode --import tsx scripts/generate-bundled-channel-config-metadata.ts --checkcheck:changednode scripts/check-changed.mjscheck:changelog-attributionsnode scripts/check-changelog-attributions.mjscheck:deprecated-api-usagenode scripts/check-deprecated-api-usage.mjscheck:deprecated-jsdocnode scripts/check-deprecated-jsdoc.mjs- …and 399 more.
Dependencies50
@agentclientprotocol/sdk0.22.1@clack/core1.3.1@clack/prompts1.4.0@earendil-works/pi-agent-core0.75.4@earendil-works/pi-ai0.75.4@earendil-works/pi-coding-agent0.75.4@earendil-works/pi-tui0.75.4@google/genai2.5.0@grammyjs/runner2.0.3@grammyjs/transformer-throttler1.2.1@homebridge/ciao1.3.8@lydell/node-pty1.2.0-beta.12@modelcontextprotocol/sdk1.29.0@mozilla/readability0.6.0@openclaw/fs-safe0.2.7@openclaw/proxyline0.3.3ajv8.20.0chalk5.6.2chokidar5.0.0commander14.0.3croner10.0.1dotenv17.4.2express5.2.1file-type22.0.1grammy1.43.0ipaddr.js2.4.0jiti2.7.0json52.2.3jszip3.10.1kysely0.29.2- …and 20 more.
Optional dependencies2
sharp0.34.5sqlite-vec0.1.9