Package evidence
[email protected]
Remote Payload: matched "github.com/astral-sh/uv/releases/download"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 288
- Versions published
- 55
- First published
- Mar 2026
- Publisher
- peterfrl
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "github.com/astral-sh/uv/releases/download"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 69 · status changed
Evidence
Static findings
10 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/startup/preflight/shared.js | matched "github.com/astral-sh/uv/releases/download" | 12 |
| medium | Remote Payload | package/xll/python/Lib/site-packages/pip/_vendor/urllib3/fields.py | matched "curl " | 12 |
| medium | Large Javascript Payload | package/dist/cli.js | 12487401 bytes | 10 |
Show all 10 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/startup/preflight/shared.js | matched "github.com/astral-sh/uv/releases/download" | 12 |
| medium | Remote Payload | package/xll/python/Lib/site-packages/pip/_vendor/urllib3/fields.py | matched "curl " | 12 |
| medium | Large Javascript Payload | package/dist/cli.js | 12487401 bytes | 10 |
| low | Credential file access | package/dist/cli/args.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/app/tools/bash.js | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/app/permissions/filesystem-policy.js | matched ".ssh" | 5 |
| low | Credential file access | package/dist/app/modes/action/prompt.js | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/shell/sandbox/lib/resolve.js | matched ".ssh" | 5 |
| low | Credential file access | package/xll/python/Lib/site-packages/pip/_vendor/pygments/lexers/_mapping.py | matched "id_rsa" | 5 |
| low | Credential file access | package/xll/python/Lib/site-packages/pip/_vendor/distlib/util.py | matched ".pypirc" | 5 |
Manifest
Package metadata
Scripts43
analyze:tui-tracenode scripts/analyze-tui-render-trace.jsbuildnode scripts/build.js && npm run copy-assetsbuild:disttsc -p tsconfig.build.jsonbuild:user-docsnode user-docs/build.js && node user-docs/build-pdf.jsbuild:xll:localcd .. && python xll/build-scripts/do_build.py --local-copybuild:xll:npmcd .. && python xll/build-scripts/do_build.py --npm-copycheck-typestsc -b --noEmitcheck-types:publictsc -p tsconfig.build.json --noEmitcheck-types:pythoncd ../xll && uvx pyrightcheck-types:runtime-boundarytsc -p tsconfig.tests.json --noEmitcopy-assetsnpm run copy-runtime-assets && npm run build:user-docscopy-embedded-python-to-localnode scripts/sync-python.js embedded-python-to-localcopy-python-to-localnode scripts/sync-python.js modules-to-localcopy-python-to-npmnode scripts/sync-python.js modules-to-npmcopy-runtime-assetsnpm run copy-python-to-npm && node scripts/copy-runtime-assets.jsdepcruisedepcruise --config .dependency-cruiser.cjs --output-type err srcdevnpm run copy-python-to-local && npm run copy-embedded-python-to-local && npm run sync-mog-api-reference && npm run sync-com-api-reference && node scripts/dev-source-checkout.jsdev:integrationtsx tests/connectors/runner/run-agentic-integration.tsformatprettier --write 'src/**/*.{ts,tsx,js,json}'format:checkprettier --check 'src/**/*.{ts,tsx,js,json}'inspect:runtime-boundarynode scripts/runtime-boundary-report.jsknipkniplinteslint src/lint:pythoncd .. && uvx ruff check xll/modules/ xll/tests/prepublishOnlypnpm run buildreleasenode scripts/release.jsstartnode dist/cli.jssync-com-api-referencepython3 scripts/sync-com-api-reference.pysync-mog-api-referencenode scripts/sync-mog-api-reference.jstestvitest --run- …and 13 more.
Dependencies29
@anthropic-ai/sdk^0.87.0@google-cloud/secret-manager^5.6.0@google-cloud/storage^7.19.0@mariozechner/jiti^2.6.5@mariozechner/pi-agent-core^0.55.4@mariozechner/pi-ai^0.55.4@modelcontextprotocol/sdk^1.29.0@silvia-odwyer/photon-node^0.3.4@sinclair/typebox^0.34.41ajv^8.17.1chalk^5.6.2cli-highlight^2.1.11croner^10.0.1diff^8.0.3dotenv^17.3.1extract-zip^2.0.1file-type^21.3.1glob^13.0.6hosted-git-info^9.0.2ignore^7.0.5jose^6.2.2marked^15.0.12minimatch^10.2.4proper-lockfile^4.1.2qrcode-terminal^0.12.0strip-ansi^7.2.0undici^7.22.0ws^8.20.0yaml^2.8.2
Optional dependencies2
@mog-sdk/node0.4.0@whiskeysockets/baileys7.0.0-rc.9