PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
796
Versions published
104
First published
Mar 2026
Publisher
lumea-technologies

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherlumea-technologies
Artifact bytes4,306,756
Previous versionnone
Published2026-03-09T15:23:06.701Z
SHA-256d9e563ada2f527f03a181151046206d7d165d4ba9a977dbcaa9b4b1c64387c3d

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
44Score
0.1.16Version
Status history (1 event)
  1. newavailable · risk review · score 44 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/llm/orchestrator-tools.jsmatched "curl "12
mediumRemote Payloadpackage/dist/notifications/channels/telegram.jsmatched "api.telegram.org/bot"12
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/llm/orchestrator-tools.jsmatched "curl "12
mediumRemote Payloadpackage/dist/notifications/channels/telegram.jsmatched "api.telegram.org/bot"12
lowCredential file accesspackage/dist/llm/ai-client.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/llm/pi-client.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/ui/dist/assets/ssh-config-_ykCGR6B.jsmatched ".ssh/"5
lowMessenger Bot Endpointpackage/dist/notifications/channels/telegram.jsmatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5

Manifest

Package metadata

Scripts19
  • buildtsc
  • build:all./node_modules/.bin/tsc && pnpm --filter @polpo-ai/react build && pnpm --filter ui build
  • build:sdkpnpm --filter @polpo-ai/react build
  • build:uipnpm --filter ui build
  • cleanrm -rf dist packages/react-sdk/dist ui/dist
  • devtsc --watch
  • dev:allpnpm build:sdk && concurrently -n server,ui,docs -c blue,green,magenta "pnpm dev:serve" "pnpm dev:ui" "pnpm dev:docs"
  • dev:docscd docs && npx mintlify@latest dev
  • dev:servetsx --watch src/cli/index.ts serve -p 3890
  • dev:uipnpm --filter ui dev
  • generate:openapinode -e "const{createApp}=require('./dist/server/app.js');const app=createApp(null,null);const fs=require('fs');app.fetch(new Request('http://localhost/api/v1/openapi.json')).then(r=>r.json()).then(j=>{fs.writeFileSync('docs/openapi.json',JSON.stringify(j,null,2));console.log('Generated openapi.json with',Object.keys(j.paths).length,'paths')})"
  • lintpnpm --filter ui lint
  • prebuild:publishpnpm build:sdk && VITE_POLPO_API_URL= pnpm build:ui
  • startnode dist/cli/index.js
  • start:allpnpm build:all && node dist/cli/index.js serve -p 3890
  • start:servenode dist/cli/index.js serve -p 3890
  • testvitest
  • test:coveragevitest run --coverage
  • typecheck./node_modules/.bin/tsc --noEmit
Dependencies27
  • @hono/node-server^1.19.9
  • @hono/zod-openapi^1.2.2
  • @mariozechner/pi-agent-core^0.52.12
  • @mariozechner/pi-ai^0.52.12
  • @polpo-ai/core0.1.2
  • @sinclair/typebox^0.34.48
  • @whiskeysockets/baileys7.0.0-rc.9
  • chalk^5.4.1
  • commander^13.1.0
  • docx^9.5.3
  • exceljs^4.4.0
  • fullscreen-ink^0.1.0
  • hono^4.11.9
  • imapflow^1.2.10
  • ink^5.2.1
  • ink-select-input^6.2.0
  • ink-spinner^5.0.0
  • ink-text-input^6.0.0
  • mammoth^1.11.0
  • nanoid^5.1.2
  • nodemailer^8.0.1
  • pdf-lib^1.17.1
  • qrcode^1.5.4
  • react^18.3.1
  • yaml^2.7.0
  • zod^4.3.6
  • zustand^5.0.11
Optional dependencies5
  • @polpo-ai/drizzle0.1.2
  • better-sqlite3^12.6.2
  • drizzle-orm^0.44.0
  • playwright-core^1.52.0
  • postgres^3.4.0