Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 78
- Versions published
- 26
- First published
- Apr 2026
- Publisher
- ningyanz
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 186 · status changed
Evidence
Static findings
133 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/node_modules/sema-core/dist/util/commands.js | matched "curl " | 12 |
| medium | Obfuscation Density | package/node_modules/esprima/dist/esprima.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/node_modules/tr46/index.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/node_modules/sema-core/dist/tools/LaunchUI/LaunchUI.js | matched "curl " | 12 |
| medium | Remote Payload | package/web/dist/assets/vendor-markdown-DsZ0eGTk.js | matched "wget " | 12 |
Show all 133 findings (low-signal and informational)
Showing 60 of 133 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/node_modules/sema-core/dist/util/commands.js | matched "curl " | 12 |
| medium | Obfuscation Density | package/node_modules/esprima/dist/esprima.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/node_modules/tr46/index.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/node_modules/sema-core/dist/tools/LaunchUI/LaunchUI.js | matched "curl " | 12 |
| medium | Remote Payload | package/web/dist/assets/vendor-markdown-DsZ0eGTk.js | matched "wget " | 12 |
| low | Credential file access | package/web/dist/assets/plugins-7-tyTxk8.js | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/node_modules/openai/auth/subject-token-providers.js | matched ".azure" | 5 |
| low | Credential file access | package/node_modules/openai/auth/subject-token-providers.mjs | matched ".azure" | 5 |
| low | Credential file access | package/node_modules/openai/src/auth/subject-token-providers.ts | matched ".azure" | 5 |
| low | Obfuscation | package/node_modules/eventsource-parser/dist/index.cjs | matched "\\u2026" | 3 |
| low | Obfuscation | package/node_modules/pkce-challenge/dist/index.node.cjs | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/zod/v4/core/schemas.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/node_modules/zod/v3/types.cjs | matched "\\u00A0" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_asciiWords.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_createCompounder.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_deburrLetter.js | matched "\\xc0" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_escapeStringChar.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_hasUnicode.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_unicodeSize.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_unicodeToArray.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/_unicodeWords.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/node_modules/jose/dist/webapi/lib/base64.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/openai/internal/utils/base64.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/formdata-node/lib/cjs/Blob.js | matched "\\x20" | 3 |
| low | Obfuscation | package/node_modules/formdata-node/lib/esm/Blob.js | matched "\\x20" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/lib/bom-handling.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/memory/chunker.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/node_modules/ajv/dist/compile/codegen/code.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/node_modules/undici/lib/llhttp/constants.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/context.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/context.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/utils/cookie.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/utils/cookie.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/undici/lib/web/fetch/data-url.js | matched "\\u000A" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/dbcs-data.js | matched "\\u00a5" | 3 |
| low | Obfuscation | package/node_modules/lodash-es/deburr.js | matched "\\xc0" | 3 |
| low | Obfuscation | package/node_modules/sema-core/dist/util/downloadRipgrep.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/utils/encode.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/utils/encode.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/gray-matter/lib/engines.js | matched "eval(" | 3 |
| low | Obfuscation | package/node_modules/esprima/dist/esprima.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/sema-core/dist/util/file.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/ajv-formats/dist/formats.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/adapter/aws-lambda/handler.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/adapter/aws-lambda/handler.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/pkce-challenge/dist/index.browser.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/node-fetch/lib/index.es.js | matched "\\u0020" | 3 |
| low | Obfuscation | package/node_modules/brace-expansion/dist/commonjs/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/brace-expansion/dist/esm/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/content-disposition/index.js | matched "\\x00" | 3 |
| low | Obfuscation | package/node_modules/content-type/index.js | matched "\\u000b" | 3 |
| low | Obfuscation | package/node_modules/cookie/index.js | matched "\\u0021" | 3 |
| low | Obfuscation | package/node_modules/depd/index.js | matched "Eval(" | 3 |
| low | Obfuscation | package/node_modules/encodeurl/index.js | matched "\\x21" | 3 |
| low | Obfuscation | package/node_modules/eventsource-parser/dist/index.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/node_modules/get-intrinsic/index.js | matched "Eval(" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/helper/dev/index.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/cjs/middleware/logger/index.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/helper/dev/index.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/node_modules/hono/dist/middleware/logger/index.js | matched "\\x1B" | 3 |
Manifest
Package metadata
Scripts8
buildtsc && chmod +x dist/cli.jsbuild:webcd web && npm install && npm run buildclitsx src/cli.tsdevtsx src/index.tsdev:webcd web && npm run devprepackrm -rf node_modules/@img node_modules/sharp node_modules/sema-core/node_modules/@img node_modules/sema-core/node_modules/sharp node_modules/sema-core/node_modules/@vscode node_modules/@vscodeprepublishOnlynpm run build && npm run build:webstartnode dist/index.js
Dependencies19
@clack/prompts^1.1.0@larksuiteoapi/node-sdk^1.56.1@modelcontextprotocol/sdk^1.25.1@node-rs/jieba^2.0.1@types/ws^8.18.1@vscode/ripgrep^1.18.0@xenova/transformers^2.0.1better-sqlite3^11.9.1commander^12.1.0cron-parser^4.9.0dotenv^16.4.7fflate^0.8.2grammy^1.34.0qrcode-terminal^0.12.0sema-corefile:vendor/sema-core-1.0.0.tgzsimple-git^3.36.0sqlite-vec^0.1.7-alpha.2ws^8.19.0zod^3.25.76
Optional dependencies1
sharp^0.33.5