Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,875Niche · −30% score
- Versions published
- 211
- First published
- Mar 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/sdk/dist/node/files.js | matched ".npmrc" | 5 |
Manifest
Package metadata
Scripts14
buildrm -rf dist cli/core-dist cli/sdk/dist cli/sdk/core-dist && npm run build:core && npm run build:sdk && tsc && mkdir -p cli/core-dist cli/sdk/dist cli/sdk/core-dist && cp core/dist/*.js cli/core-dist/ && cp -R sdk/dist/. cli/sdk/dist/ && cp sdk/core-dist/*.js cli/sdk/core-dist/build:corerm -rf core/dist && tsc -p core/tsconfig.jsonbuild:sdkrm -rf sdk/dist sdk/core-dist && mkdir -p sdk/core-dist && cp core/dist/*.js sdk/core-dist/ && cp core/dist/*.d.ts sdk/core-dist/ && tsc -p sdk/tsconfig.jsonstartnode dist/index.jstestnode --experimental-test-module-mocks --test --import tsx SKILL.test.ts sync.test.ts 'core/src/**/*.test.ts' 'sdk/src/**/*.test.ts' 'src/**/*.test.ts' && node --test cli-output-contract.test.mjs cli-e2e.test.mjs cli-help.test.mjs cli-provision-active.test.mjs cli-argv.test.mjs cli-env.test.mjs cli-wallets.test.mjs cli-org.test.mjs cli-ci.test.mjs cli-deploy-ci.test.mjs cli-operator-loopback.test.mjs && npm run test:docstest:docsnpm run check:docs --workspace=@run402/sdk -- --skip-buildtest:e2enode --test cli-output-contract.test.mjs cli-e2e.test.mjs cli-help.test.mjs cli-provision-active.test.mjs cli-argv.test.mjs cli-env.test.mjs cli-wallets.test.mjs cli-org.test.mjs cli-ci.test.mjs cli-deploy-ci.test.mjs cli-operator-loopback.test.mjstest:helpnode --test cli-help.test.mjstest:integrationnode --test --import tsx core/src/siwx-integration.integ.tstest:integration:fullnode --test --import tsx cli-integration.test.tstest:integration:fullstacknpm run build && node --test --import tsx fullstack-integration.test.tstest:integration:mcpnode --test --import tsx mcp-integration.test.tstest:skillnode --test --import tsx SKILL.test.tstest:syncnode --test --import tsx sync.test.ts
Dependencies4
@modelcontextprotocol/sdk^1.27.1@noble/curves^2.0.1@noble/hashes^2.0.1zod^3.24.0