Package evidence

[email protected]

Webhook Exfil Endpoint: matched "ngrok.app"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 266
First published: Mar 2026
Publisher: ricardoamartinez

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherricardoamartinez

Artifact bytes29,442,881

Previous version2026.3.333

Published2026-06-11T17:47:42.022Z

SHA-256773d840389dd410f4cac34475703a3ae73206d0832cee8395db7d28ac61bca69

Why flagged

What the scanner saw

Webhook Exfil Endpoint: matched "ngrok.app"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

6d agoLast checked

highRisk

115Score

2026.3.334Version

Status history (1 event)

new → available6d ago · risk high · score 115 · status changed

Evidence

Static findings

17 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/providers/twilio.test.ts	matched "ngrok.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.test.ts	matched "ngrok-free.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.ts	matched "ngrok-free.app"	40

Show all 17 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/providers/twilio.test.ts	matched "ngrok.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.test.ts	matched "ngrok-free.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.ts	matched "ngrok-free.app"	40
low	Credential file access	package/dist/dist-cjs-BNz9SzpQ.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/plugin-sdk/dist-cjs-BysjT8vZ.js	matched "aws_access_key"	5
low	Credential file access	package/dist/dist-cjs-C68xOA85.js	matched "aws_access_key"	5
low	Credential file access	package/dist/plugin-sdk/dist-cjs-DPyzHTIg.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/model-selection-CPMFDdc0.js	matched "AWS_ACCESS_KEY"	5
low	Large Javascript Payload	package/dist/dist-B7TwlN4O.js	4944822 bytes	0
low	Large Javascript Payload	package/dist/dist-DeXSENCS.js	2104028 bytes	0
low	Large Javascript Payload	package/dist/plugin-sdk/index.js	8350725 bytes	0
low	Large Javascript Payload	package/dist/login-qr-Di7t9ZSi.js	4091728 bytes	0
low	Large Javascript Payload	package/dist/plugin-sdk/opus-ml-0BycUTjo.js	4101493 bytes	0
low	Large Javascript Payload	package/dist/opus-ml-uUfRmBfq.js	4101493 bytes	0
low	Large Javascript Payload	package/dist/plugin-sdk/pi-model-discovery-CBWcyyqn.js	6142820 bytes	0
low	Large Javascript Payload	package/dist/pw-ai-CthVTO-M.js	4402452 bytes	0
low	Large Javascript Payload	package/dist/reply-CDA3useo.js	5546183 bytes	0

Manifest

Package metadata

Scripts75

android:assemblecd apps/android && ./gradlew :app:assembleDebug
android:installcd apps/android && ./gradlew :app:installDebug
android:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.skykoi.android/.MainActivity
android:testcd apps/android && ./gradlew :app:testDebugUnitTest
buildpnpm canvas:a2ui:bundle && tsdown && node --import tsx scripts/fix-playwright-bundle.ts && pnpm build:plugin-sdk:dts && node --import tsx scripts/write-plugin-sdk-entry-dts.ts && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/write-build-info.ts && node --import tsx scripts/write-cli-compat.ts
build:plugin-sdk:dtstsc -p config/tsconfig.plugin-sdk.dts.json
canvas:a2ui:bundlebash scripts/bundle-a2ui.sh
checkpnpm tsgo && pnpm lint && pnpm format
check:docspnpm format:docs && pnpm lint:docs && pnpm docs:build
check:locnode --import tsx scripts/check-ts-max-loc.ts --max 500
devnode scripts/run-node.mjs
docs:binnode scripts/build-docs-list.mjs
docs:buildcd docs && pnpm dlx --reporter append-only mint broken-links
docs:check-linksnode scripts/docs-link-audit.mjs
docs:devcd docs && mint dev
docs:listnode scripts/docs-list.js
formatoxfmt --check
format:allpnpm format && pnpm format:swift
format:docsgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --check
format:docs:fixgit ls-files 'docs/**/*.md' 'docs/**/*.mdx' 'README.md' | xargs oxfmt --write
format:fixoxfmt --write
format:swiftswiftformat --lint --config .swiftformat apps/macos/Sources apps/ios/Sources apps/shared/SkyKoiKit/Sources
gateway:devSKYKOI_SKIP_CHANNELS=1 SKYKOI_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway
gateway:dev:resetSKYKOI_SKIP_CHANNELS=1 SKYKOI_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway --reset
gateway:watchnode scripts/watch-node.mjs gateway --force
ios:buildbash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project skykoi.xcodeproj -scheme skykoi -destination "${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}" -configuration Debug build'
ios:gencd apps/ios && xcodegen generate
ios:opencd apps/ios && xcodegen generate && open skykoi.xcodeproj
ios:runbash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project skykoi.xcodeproj -scheme skykoi -destination "${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}" -configuration Debug build && xcrun simctl boot "${IOS_SIM:-iPhone 17}" || true && xcrun simctl launch booted ai.skykoi.ios'
lintoxlint --type-aware
…and 45 more.

Dependencies21

@clack/prompts^1.0.0
@sinclair/typebox0.34.48
ajv^8.17.1
chalk^5.6.2
chokidar^5.0.0
commander^14.0.3
croner^10.0.1
dotenv^17.2.4
express^5.2.1
hono4.12.18
jiti^2.6.1
json5^2.2.3
long^5.3.2
proper-lockfile^4.1.2
strip-ansi^7.1.0
tar7.5.15
tslog^4.10.2
undici^7.21.0
ws^8.19.0
yaml^2.8.2
zod^4.3.6

Optional dependencies31

@agentclientprotocol/sdk0.14.1
@aws-sdk/client-bedrock^3.985.0
@buape/carbon0.16.0
@grammyjs/runner^2.0.3
@grammyjs/transformer-throttler^1.2.1
@homebridge/ciao^1.3.4
@line/bot-sdk^10.6.0
@lydell/node-pty1.2.0-beta.3
@mariozechner/pi-agent-core0.52.8
@mariozechner/pi-ai0.52.8
@mariozechner/pi-coding-agent0.52.8
@mariozechner/pi-tui0.52.8
@mozilla/readability^0.6.0
@slack/bolt^4.6.0
@slack/web-api^7.13.0
@whiskeysockets/baileys7.0.0-rc.9
cli-highlight^2.1.11
discord-api-types^0.38.38
file-type^21.3.0
grammy^1.39.3
jszip^3.10.1
linkedom^0.18.12
markdown-it^14.1.0
node-edge-tts^1.2.10
osc-progress^0.3.0
pdfjs-dist^5.4.624
playwright1.58.2
playwright-core1.58.2
qrcode-terminal^0.12.0
sharp^0.34.5
…and 1 more.