PkgRadar

Package evidence

[email protected]

Remote Payload: matched "github.com/FiloSottile/mkcert/releases/download"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,657Niche · −30% score
Versions published
276
First published
Feb 2026
Publisher
cyborgninja

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercyborgninja
Artifact bytes4,762,339
Previous version4.32.7
Published2026-06-12T21:51:36.528Z
SHA-2561b43187c1c928fdfa4e5b6dd99f5be8cbd8add9977aea79330de549df25507da

Why flagged

What the scanner saw

Remote Payload: matched "github.com/FiloSottile/mkcert/releases/download"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
18Score
4.32.8Version
Status history (1 event)
  1. newavailable · risk review · score 18 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dashboard/.next/standalone/dashboard/node_modules/next/dist/lib/mkcert.jsmatched "github.com/FiloSottile/mkcert/releases/download"12
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dashboard/.next/standalone/dashboard/node_modules/next/dist/lib/mkcert.jsmatched "github.com/FiloSottile/mkcert/releases/download"12
lowCredential file accesspackage/dist/audit/dependency-scanner.jsmatched ".npmrc"5
lowCredential file accesspackage/dist/xray/findings-store.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.mjs"5

Manifest

Package metadata

Scripts24
  • audit:securitynpm audit --audit-level=moderate
  • benchtsx benchmark/longmemeval/run.ts
  • bench:smokeSHIELDCORTEX_SKIP_EMBEDDINGS=1 tsx benchmark/longmemeval/run.ts --quiet
  • bootstrap:dashboardnode -e "if (!require('fs').existsSync('dashboard/node_modules')) { process.exit(1); }" || (cd dashboard && npm ci --no-audit --no-fund)
  • buildnpm run build:ts && npm run build:dashboard
  • build:dashboardnpm run bootstrap:dashboard && cd dashboard && npm run build && (cp -r .next/static .next/standalone/dashboard/.next/ 2>/dev/null || true) && (cp -r public .next/standalone/dashboard/ 2>/dev/null || true) && cd .. && node scripts/prune-dashboard-standalone.mjs
  • build:tsnode -e "fs.rmSync('dist', { recursive: true, force: true }); fs.rmSync('plugins/openclaw/dist', { recursive: true, force: true })" && tsc -p tsconfig.build.json && tsc -p tsconfig.openclaw-plugin.json && cp plugins/openclaw/openclaw.plugin.json plugins/openclaw/dist/ && cp src/database/schema.sql dist/database/
  • devtsx src/index.ts
  • dev:apitsx src/index.ts --mode api
  • dev:dashboardtsx src/index.ts --dashboard
  • postbuild:tsnode scripts/ensure-bin-executable.mjs
  • postinstallnode scripts/postinstall.mjs
  • prepacknode scripts/ensure-bin-executable.mjs
  • prepublishOnlynode scripts/sync-plugin-version.mjs --check && npm run build && npm run test:dist
  • release:clawhubnode scripts/clawhub-sync.mjs
  • startnode dist/index.js
  • start:apinode dist/index.js --mode api
  • start:dashboardnode dist/index.js --dashboard
  • testnode scripts/run-jest.mjs
  • test:coveragenode scripts/run-jest.mjs --coverage
  • test:distnode scripts/check-no-bare-require.mjs
  • test:watchnode scripts/run-jest.mjs --watch
  • versionnode scripts/sync-plugin-version.mjs && git add plugins/openclaw/package.json plugins/openclaw/openclaw.plugin.json
  • watchtsc --watch
Dependencies8
  • @modelcontextprotocol/sdk^1.0.0
  • better-sqlite3^12.0.0
  • cors^2.8.5
  • express^4.21.0
  • safe-regex2^5.0.0
  • semver^7.7.0
  • ws^8.18.0
  • zod^3.23.0
Optional dependencies1
  • @huggingface/transformers^3.7.2