PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="node scripts/run-install-hook.mjs postinstall"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
446
Versions published
279
First published
Jan 2026
Publisher
agnusdei12071207

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisheragnusdei12071207
Artifact bytes10,957,089
Previous version1.2.71
Published2026-06-01T14:59:57.175Z
SHA-25650adfce68de1cab0cbed27740f9cd61dfbc85c7ee79571ac79724314ce409522

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node scripts/run-install-hook.mjs postinstall"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
1.3.3Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/run-install-hook.mjs postinstall"5

Manifest

Package metadata

Scripts28
  • buildrm -rf dist && npx esbuild src/index.ts --bundle --outfile=dist/index.js --platform=node --format=esm && tsc --emitDeclarationOnly && mkdir -p dist/scripts && npx esbuild scripts/postinstall.ts --bundle --outfile=dist/scripts/postinstall.js --platform=node --format=esm --main-fields=module,main && npx esbuild scripts/preuninstall.ts --bundle --outfile=dist/scripts/preuninstall.js --platform=node --format=esm --main-fields=module,main
  • build:allnpm run build && npm run docker:rust-dist
  • cleanup:pluginnode scripts/run-install-hook.mjs preuninstall
  • docker:build-alldocker compose run --rm dev && docker compose run --rm rust-arm64 && docker compose run --rm win-builder
  • docker:build-windocker compose run --rm win-builder
  • docker:cleandocker compose down -v
  • docker:rust-distdocker compose run --rm dev && docker compose run --rm rust-arm64 && (sudo chown -R $(id -u):$(id -g) bin/ 2>/dev/null || true)
  • docker:testdocker compose run --rm test
  • ginstallnpm install -g opencode-orchestrator
  • logtail -f "$(node -e 'console.log(require("os").tmpdir())')/opencode-orchestrator.log"
  • postinstallnode scripts/run-install-hook.mjs postinstall
  • prepublishOnlynpm run build
  • publish:tokennpm publish --access public
  • release:cleanrm -rf dist bin && docker compose down -v
  • release:dry-runnpm run build && npm pack --dry-run
  • release:majornpm version major && npm run build && npm run docker:rust-dist && npm run publish:token
  • release:minornpm version minor && npm run build && npm run docker:rust-dist && npm run publish:token
  • release:patchnpm version patch && npm run build && npm run docker:rust-dist && npm run publish:token
  • release:push-tagsgit push origin main && git push origin --tags
  • reset:localbrew uninstall opencode 2>/dev/null; rm -rf ~/.config/opencode ~/.opencode ~/.local/share/opencode ~/.cache/opencode/node_modules/opencode-orchestrator && echo '=== Clean done ===' && brew install opencode && echo '{"plugin": ["opencode-orchestrator"], "$schema": "https://opencode.ai/config.json"}' > ~/.config/opencode/opencode.json && echo '=== Reset (Dev) complete. Run: opencode ==='
  • reset:prodbrew uninstall opencode 2>/dev/null; rm -rf ~/.config/opencode ~/.opencode ~/.local/share/opencode ~/.cache/opencode/node_modules/opencode-orchestrator && echo '=== Clean done ===' && brew install opencode && echo '{"plugin": ["opencode-orchestrator"], "$schema": "https://opencode.ai/config.json"}' > ~/.config/opencode/opencode.json && npm run cleanup:plugin && npm uninstall -g opencode-orchestrator && echo '=== Reset (Prod) complete. Run: opencode ==='
  • sync:readme-versionnode scripts/sync-readme-version.mjs
  • testvitest run --reporter=verbose
  • test:allnpm run build && vitest run --reporter=verbose && echo '=== ALL TESTS PASSED ==='
  • test:coveragevitest run --coverage
  • test:e2evitest run tests/e2e --reporter=verbose
  • test:unitvitest run tests/unit --reporter=verbose
  • versionnpm run sync:readme-version
Dependencies4
  • @opencode-ai/plugin^1.15.13
  • @opencode-ai/sdk^1.15.13
  • jsonc-parser^3.3.1
  • zod^4.3.6