PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
154
Versions published
4
First published
May 2026
Publisher
chaosdonkey

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherchaosdonkey
Artifact bytes504,606
Previous version0.2.0
Published2026-05-19T01:43:07.883Z
SHA-256586a099919b4c45f7f92c311d030280fe4cc977a10f2784eb8eb7064f061e947

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
0.2.1Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/src/policy-heuristics.jsmatched ".npmrc"5
lowCredential file accesspackage/dist/src/policy-presets.jsmatched ".ssh"5
lowCredential file accesspackage/dist/src/session-share.jsmatched "GITHUB_TOKEN"5

Manifest

Package metadata

Scripts37
  • benchnpm run bench:correctness && npm run bench:perf:gate
  • bench:comparetsx bench/compare-metrics.ts
  • bench:correctnessnpm run check && npm test
  • bench:gatenpm run bench
  • bench:hotpathtsx bench/server-hotpath.bench.ts
  • bench:hotpath:gatenpm run bench:correctness && tsx bench/run-gate.ts --suite hotpath --runs 3 --metric-set avg --max-regression-pct 15 --min-baseline-us 0.2 --max-absolute-regression-us 0.05
  • bench:perfnpm run bench:hotpath
  • bench:perf:gatetsx bench/run-gate.ts --suite hotpath --runs 3 --metric-set avg --max-regression-pct 15 --min-baseline-us 0.2 --max-absolute-regression-us 0.05
  • buildbash -c 'tsc && if [ -f ../oppi-extensions/tsconfig.subagents.json ]; then tsc -p ../oppi-extensions/tsconfig.subagents.json; elif [ ! -f dist/oppi-extensions/src/subagents/index.js ] || [ ! -f dist/oppi-extensions/extensions/subagents.js ]; then echo "Missing Oppi first-party subagents build artifacts. Expected dist/oppi-extensions/... or ../oppi-extensions sources." >&2; exit 1; fi && chmod +x dist/src/cli.js'
  • checkprettier --version >/dev/null && bash -c 'paths=(src/ extensions/ bench/); if [ -d ../oppi-extensions/src/subagents ]; then paths+=(../oppi-extensions/src/subagents/ ../oppi-extensions/extensions/); fi; pids=(); tsc --noEmit & pids+=($!); if [ -f ../oppi-extensions/tsconfig.subagents.json ]; then tsc -p ../oppi-extensions/tsconfig.subagents.json --noEmit & pids+=($!); fi; eslint src/ extensions/ bench/ & pids+=($!); knip & pids+=($!); prettier --check --ignore-unknown "${paths[@]}" & pids+=($!); rc=0; for p in "${pids[@]}"; do wait "$p" || rc=1; done; exit $rc'
  • dead-codeknip
  • devtsx watch src/cli.ts serve
  • formatbash -c 'paths=(src/ extensions/ bench/); if [ -d ../oppi-extensions/src/subagents ]; then paths+=(../oppi-extensions/src/subagents/ ../oppi-extensions/extensions/); fi; prettier --write --ignore-unknown "${paths[@]}"'
  • format:checkbash -c 'paths=(src/ extensions/ bench/); if [ -d ../oppi-extensions/src/subagents ]; then paths+=(../oppi-extensions/src/subagents/ ../oppi-extensions/extensions/); fi; prettier --check --ignore-unknown "${paths[@]}"'
  • linteslint src/ extensions/ bench/
  • lint:fixeslint src/ extensions/ bench/ --fix
  • preparebash -c 'tsc && if [ -f ../oppi-extensions/tsconfig.subagents.json ]; then tsc -p ../oppi-extensions/tsconfig.subagents.json; elif [ ! -f dist/oppi-extensions/src/subagents/index.js ] || [ ! -f dist/oppi-extensions/extensions/subagents.js ]; then echo "Missing Oppi first-party subagents build artifacts. Expected dist/oppi-extensions/... or ../oppi-extensions sources." >&2; exit 1; fi && chmod +x dist/src/cli.js'
  • prepublishOnlynpm run build
  • startnode dist/src/cli.js serve
  • telemetry:grafana:downdocker compose -f docker-compose.telemetry.yml down
  • telemetry:grafana:updocker compose -f docker-compose.telemetry.yml up -d
  • telemetry:importnode scripts/manual/telemetry-import-sqlite.mjs
  • telemetry:import:watchnode scripts/manual/telemetry-import-sqlite.mjs --watch
  • telemetry:reviewbun scripts/telemetry-review.ts
  • telemetry:review:gatebun scripts/telemetry-review.ts --days 3 --gate
  • testvitest run
  • test:coveragevitest run --coverage --exclude tests/policy-fuzz-perf.test.ts
  • test:e2evitest run --config vitest.e2e.config.ts
  • test:e2e:auth-connectionnpm run test:e2e:clean && E2E_NATIVE=1 vitest run --config vitest.e2e.config.ts e2e/pairing-flow e2e/paired-session
  • test:e2e:cleannode scripts/e2e-clean.mjs
  • …and 7 more.
Dependencies7
  • @earendil-works/gondolin^0.7.0
  • @earendil-works/pi-ai0.75.0
  • @earendil-works/pi-coding-agent0.75.0
  • @earendil-works/pi-tui0.75.0
  • diff-match-patch^1.0.5
  • typebox1.1.28
  • ws^8.18.0