Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 12
- First published
- Apr 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 12 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/domain.roles/patenter/skills/patent.priors/patent.priors.fetch.sh | matched "curl " | 12 |
| medium | Remote Payload | package/dist/domain.roles/patenter/skills/patent.priors/patent.priors.search.sh | matched "curl " | 12 |
| medium | Remote Payload | package/dist/domain.roles/transcriber/skills/transcribe.pdf/transcribe.pdf.sh | matched "curl " | 12 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/domain.roles/patenter/skills/patent.priors/patent.priors.fetch.sh | matched "curl " | 12 |
| medium | Remote Payload | package/dist/domain.roles/patenter/skills/patent.priors/patent.priors.search.sh | matched "curl " | 12 |
| medium | Remote Payload | package/dist/domain.roles/transcriber/skills/transcribe.pdf/transcribe.pdf.sh | matched "curl " | 12 |
| low | Credential file access | package/dist/domain.roles/patenter/skills/patent.priors/patent.priors.fetch.sh | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
Manifest
Package metadata
Scripts36
buildnpm run build:clean && npm run build:compile && npm run build:complete --if-presentbuild:cleannpm run build:clean:tsc && npm run build:clean:bunbuild:clean:bunrm -f ./bin/*.bcbuild:clean:tsc(chmod -R u+w dist 2>/dev/null || true) && rm -rf dist/build:compilenpm run build:compile:tsc && npm run build:compile:bun --if-presentbuild:compile:tsctsc -p ./tsconfig.build.json && tsc-alias -p ./tsconfig.build.jsonbuild:completenpm run build:complete:dist && npm run build:complete:repobuild:complete:distrsync -a --prune-empty-dirs --include='*/' --exclude='**/.route/**' --exclude='**/.scratch/**' --exclude='**/.behavior/**' --exclude='**/__test_assets__/**' --exclude='**/*.test.sh' --include='**/readme.md' --include='**/*.template.md' --include='**/briefs/**/*.md' --include='**/briefs/**/*.min' --include='**/briefs/*.md' --include='**/briefs/*.min' --include='**/skills/**/*.sh' --include='**/skills/*.sh' --include='**/skills/**/*.jsonc' --include='**/skills/*.jsonc' --include='**/skills/**/*.stone' --include='**/skills/**/*.guard' --include='**/inits/**/*.sh' --include='**/inits/*.sh' --include='**/inits/**/*.jsonc' --include='**/inits/*.jsonc' --include='**/keyrack.yml' --include='**/boot.yml' --exclude='*' src/ dist/build:complete:reponpx rhachet repo introspectbuild:tstsc -p ./tsconfig.build.jsoncommit:with-clinpx czfixnpm run fix:format && npm run fix:lintfix:formatnpm run fix:format:biomefix:format:biomebiome check --writefix:lintbiome check --writepostversiongit push origin HEAD --tags --no-verifyprepareif [ -e .git ] && [ -z $CI ]; then npm run prepare:husky && npm run prepare:rhachet; fiprepare:huskyhusky install && chmod ug+x .husky/*prepare:rhachetnpm run build && rhachet init --hooks --roles mechanic behaver driver reviewer librarian ergonomist architect reflector dreamer dispatcher achiever enroller patenter permiter transcriberprepublishnpm run buildprepushnpm run test && npm run buildpreversionnpm run prepushtestnpm run test:commits && npm run test:types && npm run test:format && npm run test:lint && npm run test:unit && npm run test:integration && npm run test:acceptance:locallytest:acceptancenpm run build && jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n $RESNAP ] && echo '--updateSnapshot')test:acceptance:locallynpm run build && LOCALLY=true jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n $RESNAP ] && echo '--updateSnapshot')test:commitsLAST_TAG=$(git describe --tags --abbrev=0 @^ 2> /dev/null || git rev-list --max-parents=0 HEAD) && npx commitlint --from $LAST_TAG --to HEAD --verbosetest:formatnpm run test:format:biometest:format:biomebiome formattest:integrationjest -c ./jest.integration.config.ts --forceExit --verbose --passWithNoTests $([ -z $THOROUGH ] && echo '--changedSince=main') $([ -n $RESNAP ] && echo '--updateSnapshot')test:integration:holdjest -c ./jest.integration.config.ts --forceExit --verbose --passWithNoTests $([ -z $THOROUGH ] && echo '--changedSince=main')- …and 6 more.
Dependencies7
as-procedure1.1.7domain-objects0.31.9helpful-errors1.5.3rhachet-brains-xai0.3.3rhachet-roles-rhachet0.1.7type-fns1.21.0zod4.3.4