PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,724Niche · −30% score
Versions published
128
First published
Mar 2026
Publisher
nicefox

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishernicefox
Artifact bytes3,187,305
Previous version2.0.0-beta.2
Published2026-06-16T16:51:46.314Z
SHA-2566e21a5c5683a775111e47c6635c295f5c95a0c029494526f08a73fd6029ed9ab

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
11Score
2.0.0-beta.3Version
Status history (1 event)
  1. newavailable · risk review · score 11 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/pwa-76XP2DY2.jsmatched "curl "12
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/pwa-76XP2DY2.jsmatched "curl "12
lowCredential file accesspackage/dist/web/assets/ssh-config-_ykCGR6B.jsmatched ".ssh/"5

Manifest

Package metadata

Scripts32
  • buildFORCE_COLOR=1 npm run build:server && FORCE_COLOR=1 npm run build:web
  • build:serverFORCE_COLOR=1 tsup && mkdir -p dist/command-defaults dist/skill-defaults dist/agent-defaults dist/workflow-defaults && cp src/server/commands/defaults/*.md dist/command-defaults/ && cp src/server/skills/defaults/*.md dist/skill-defaults/ && cp src/server/agents/defaults/*.md dist/agent-defaults/ && cp src/server/workflows/defaults/*.json dist/workflow-defaults/ && cp src/cli/update.sh dist/cli/ && chmod +x dist/cli/update.sh && cp package.json dist/ && cp -r src/server/public dist/server/
  • build:webcd web && FORCE_COLOR=1 vite build --outDir ../dist/web
  • checknpm run typecheck && npm run lint && npm run format && npm run duplicate
  • cleanrm -rf dist
  • devOPENFOX_DEV=true tsx watch src/cli/dev.ts --no-browser
  • dev:webvite --config web/vite.config.ts
  • duplicatenpm run duplicate:server && npm run duplicate:web
  • duplicate:serverjscpd src/server/ --ignore '**/*.test.ts' --threshold 0
  • duplicate:webjscpd web/src/ --config .jscpd-web.json --threshold 0
  • formatprettier --check 'src/**/*.ts'
  • format:fixprettier --write 'src/**/*.ts'
  • linteslint src/ web/src/
  • lint:fixeslint src/ --fix
  • patchHUSKY=0 npm version patch
  • preparehusky
  • prepublishOnlynpm run build && npm run test:publish:e2e
  • startnode dist/cli/index.js
  • start:devnode dist/cli/dev.js
  • testvitest run --reporter=dot --silent=passed-only && vitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts
  • test:covvitest run --reporter=dot --silent=passed-only --coverage && vitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts --coverage
  • test:cov:e2evitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts --coverage
  • test:cov:unitvitest run --reporter=dot --silent=passed-only --coverage
  • test:e2evitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts
  • test:playwrightplaywright test --config=e2e-playwright/playwright.config.ts
  • test:playwright:headedplaywright test --config=e2e-playwright/playwright.config.ts --headed
  • test:playwright:uiplaywright test --config=e2e-playwright/playwright.config.ts --ui
  • test:publish:e2etsx scripts/run-publish-e2e.ts
  • test:unitvitest run --reporter=dot --silent=passed-only
  • typechecknpm run typecheck:server && npm run typecheck:web
  • …and 2 more.
Dependencies35
  • @clack/prompts^1.1.0
  • @fontsource/jetbrains-mono^5.2.8
  • @xterm/addon-fit^0.11.0
  • @xterm/xterm^6.0.0
  • bash-language-server^5.6.0
  • better-sqlite3^12.8.0
  • cors^2.8.5
  • express^5.2.1
  • fast-glob^3.3.3
  • gray-matter^4.0.3
  • html2canvas^1.4.1
  • http-proxy^1.18.1
  • ignore^7.0.5
  • node-pty^1.2.0-beta.12
  • open^11.0.0
  • openai^6.33.0
  • pyright^1.1.408
  • react-markdown^10.1.0
  • react-syntax-highlighter^16.1.1
  • remark-gfm^4.0.1
  • shiki^4.2.0
  • sql-language-server^1.7.1
  • strip-ansi^7.2.0
  • turndown^7.2.2
  • typescript^5.8.2
  • typescript-language-server^5.1.3
  • vite^6.1.0
  • vscode-jsonrpc^8.2.1
  • vscode-langservers-extracted^4.10.0
  • vscode-languageserver-protocol^3.17.5
  • …and 5 more.