PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
471
Versions published
13
First published
Jun 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes14,122,124
Previous version0.1.2
Published2026-06-10T13:11:05.560Z
SHA-25648b1a248d27e4ae535665d0e6cfe84036424ce1de0b07b09d17126ec2220b465

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
0.1.3Version
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 9 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/app_dist/static/js/async/24989.87e78e4fe5.jsmatched ".ssh/"5
lowCredential file accesspackage/dist/app_dist/static/js/async/96878.869d7f668e.jsmatched ".ssh/"5
lowCredential file accesspackage/dist/@ai-sdk/amazon-bedrock.jsmatched "AWS_ACCESS_KEY"5
lowObfuscation Densitypackage/dist/app_dist/static/js/async/30626.1af9790ac3.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/dist/app_dist/static/js/43971.dbf9f86148.js3941011 bytes0
lowObfuscation Densitypackage/dist/app_dist/static/js/async/52294.27f9590ae5.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/dist/5301.js3123761 bytes0
lowObfuscation Densitypackage/dist/ai-sdk-ollama.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/zhipu-ai-provider.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts15
  • auth:migratepnpx auth migrate
  • auth:sqlpnpx auth generate --adapter drizzle
  • build:electroncross-env NODE_ENV=production rslib build
  • build:standalonenpm run rebuild && cross-env NODE_ENV=production rslib build && bun ./scripts/copyAppDist.ts
  • build:watchcross-env NODE_ENV=development rslib build --watch
  • clinode ./dist/cli.js
  • copy:app-distbun ./scripts/copyAppDist.ts
  • devconcurrently -c "cyan,magenta" "npm run build:watch" "npm run start:watch"
  • pubpnpm publish --access public --no-git-checks
  • rebuildcross-env CI=true npm rebuild better-sqlite3 bufferutil lmdb node-llama-cpp simsimd sqlite-vec utf-8-validate @node-rs/jieba @node-rs/xxhash
  • sqldrizzle-kit generate
  • startnode ./dist/index.js
  • start:watchdelay 600ms && cross-env NODE_ENV=development node --watch ./dist/index.js
  • studiodrizzle-kit studio
  • testrstest run $TEST_FILE
Dependencies93
  • @abraham/reflection^0.13.0
  • @ai-sdk/amazon-bedrock^4.0.108
  • @ai-sdk/anthropic^3.0.79
  • @ai-sdk/azure^3.0.66
  • @ai-sdk/cerebras^2.0.54
  • @ai-sdk/cohere^3.0.36
  • @ai-sdk/deepinfra^2.0.52
  • @ai-sdk/deepseek^2.0.35
  • @ai-sdk/fireworks^2.0.53
  • @ai-sdk/google^3.0.79
  • @ai-sdk/groq^3.0.39
  • @ai-sdk/mcp^1.0.43
  • @ai-sdk/mistral^3.0.37
  • @ai-sdk/moonshotai^2.0.23
  • @ai-sdk/open-responses^1.0.16
  • @ai-sdk/openai3.0.65
  • @ai-sdk/openai-compatible^2.0.48
  • @ai-sdk/perplexity^3.0.33
  • @ai-sdk/provider-utils4.0.27
  • @ai-sdk/togetherai^2.0.53
  • @ai-sdk/vercel^2.0.50
  • @ai-sdk/xai^3.0.92
  • @better-auth/drizzle-adapter^1.6.11
  • @chonkiejs/core^0.0.10
  • @drizzle-team/brocli^0.12.0
  • @hono/node-server2.0.4
  • @hono/trpc-server^0.4.2
  • @hono/zod-validator^0.8.0
  • @larksuiteoapi/node-sdk^1.65.0
  • @node-rs/jieba^2.0.1
  • …and 63 more.