Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 71
Versions published: 24
First published: Apr 2026
Publisher: pskoett

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherpskoett

Artifact bytes2,131,771

Previous version0.1.21

Published2026-05-11T18:27:04.257Z

SHA-256b1ae0f37aadd0b93ebb89632477f8b41a3c645f9e0e89e6a178e41a4b750f2a2

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

23d agoLast checked

reviewRisk

36Score

0.1.22Version

Status history (1 event)

new → available23d ago · risk review · score 36 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/skills/published-consumer-e2e/scripts/run-published-consumer-e2e.sh	matched "curl "	12
medium	Remote Payload	package/src/server/server.ts	matched "cUrl "	12

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/skills/published-consumer-e2e/scripts/run-published-consumer-e2e.sh	matched "curl "	12
medium	Remote Payload	package/src/server/server.ts	matched "cUrl "	12
low	Obfuscation	package/dist/canvas/index.js	matched "\\uD83D"	3
low	Obfuscation	package/src/server/html-primitives.ts	matched "\\u003c"	3
low	Obfuscation	package/src/server/image-source.ts	matched "\\uFEFF"	3
low	Obfuscation	package/src/client/utils/platform.ts	matched "\\u2318"	3

Manifest

Package metadata

Scripts25

buildbun run build:client && bun run build:json-render && bun run build:types
build:clientbun build src/client/index.tsx --outdir dist/canvas --minify && cp src/client/theme/global.css dist/canvas/global.css
build:json-renderbash scripts/build-json-render.sh
build:typestsc -p tsconfig.types.json
devbun run src/cli/index.ts
dev:demobun run src/cli/index.ts --demo
dev:portlessportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313
dev:portless:demoportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313 --demo
pack:dry-runbun pm pack --dry-run
prepublishOnlybun run build && bun run typecheck
release:checkbun run build && bun run typecheck && bun run test:all
release:smokebash scripts/release-smoke.sh
startbun run src/cli/index.ts --no-open
testPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
test:allbun run test && bun run test:web-canvas
test:coveragebun test tests/unit --coverage --coverage-reporter=text --coverage-reporter=lcov --coverage-dir coverage
test:e2ebun run test:web-canvas
test:e2e-clibash scripts/e2e-cli-coverage.sh
test:e2e:headedbun run test:web-canvas:headed
test:install-browsersbun x playwright install chromium
test:unitPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
test:web-canvasPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun run build && PMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun x playwright test
test:web-canvas:headedbun run build && bun x playwright test --headed
typechecktsc --noEmit
validate:agent-skillsbash scripts/validate-agent-skill-mirrors.sh

Dependencies16

@joplin/turndown-plugin-gfm^1.0.64
@json-render/core^0.14.1
@json-render/mcp^0.14.1
@json-render/react^0.14.1
@json-render/shadcn^0.14.1
@modelcontextprotocol/ext-apps^1.3.1
@modelcontextprotocol/sdk^1.0.0
@preact/signals^2.0.0
@types/turndown^5.0.6
marked^15.0.0
preact^10.25.0
react^19.2.0
react-dom^19.2.0
recharts^3.2.1
turndown^7.2.4
zod^4.3.6