PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="node ./dist/bin/sks.js postinstall"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
190
First published
Apr 2026
Publisher
cdw0424

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercdw0424
Artifact bytes1,242,071
Previous version2.0.17
Published2026-06-09T08:20:17.715Z
SHA-25606268b02b7a36d373d45ff00ca5de410022806bbb8c6a02bd48b5b923ea1238f

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node ./dist/bin/sks.js postinstall"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
2.0.18Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node ./dist/bin/sks.js postinstall"5

Manifest

Package metadata

Scripts641
  • agent:ast-aware-work-graphnode ./dist/scripts/agent-ast-aware-work-graph-check.js
  • agent:backfill-replenishmentnode ./dist/scripts/agent-backfill-replenishment-check.js
  • agent:backfill-route-blackboxnode ./dist/scripts/agent-backfill-route-blackbox.js
  • agent:background-terminalsnode ./dist/scripts/agent-background-terminals-check.js
  • agent:central-ledgernode ./dist/scripts/agent-native-release-gate.js agent-central-ledger
  • agent:cleanup-command-uxnode ./dist/scripts/agent-cleanup-command-ux-check.js
  • agent:cleanup-executornode ./dist/scripts/agent-cleanup-executor-check.js
  • agent:cleanup-executor-v2node ./dist/scripts/agent-cleanup-executor-v2-check.js
  • agent:cli-options-to-task-graphnode ./dist/scripts/agent-cli-options-to-task-graph-check.js
  • agent:codex-app-cockpitnode ./dist/scripts/agent-codex-app-cockpit-check.js
  • agent:codex-child-overlapnode ./dist/scripts/agent-codex-child-overlap-check.js
  • agent:dynamic-cockpitnode ./dist/scripts/agent-dynamic-cockpit-check.js
  • agent:dynamic-poolnode ./dist/scripts/agent-dynamic-pool-check.js
  • agent:dynamic-pool-route-blackboxnode ./dist/scripts/agent-dynamic-pool-route-blackbox.js
  • agent:fake-backend-blackboxnode ./dist/scripts/agent-native-release-gate.js agent-fake-backend-blackbox
  • agent:fast-mode-defaultnode ./dist/scripts/agent-fast-mode-default-check.js
  • agent:fast-mode-worker-propagationnode ./dist/scripts/agent-fast-mode-worker-propagation-check.js
  • agent:follow-up-work-schemanode ./dist/scripts/agent-follow-up-work-schema-check.js
  • agent:goal-mode-propagationnode ./dist/scripts/agent-goal-mode-propagation-check.js
  • agent:intelligent-work-graphnode ./dist/scripts/agent-intelligent-work-graph-check.js
  • agent:janitornode ./dist/scripts/agent-janitor-check.js
  • agent:lease-conflictsnode ./dist/scripts/agent-native-release-gate.js agent-lease-conflicts
  • agent:legacy-multiagent-removednode ./dist/scripts/legacy-multiagent-removal-check.js
  • agent:lifecycle-closenode ./dist/scripts/agent-native-release-gate.js agent-lifecycle-close
  • agent:main-no-scoutnode ./dist/scripts/agent-main-no-scout-check.js
  • agent:max-capnode ./dist/scripts/agent-native-release-gate.js agent-max-cap
  • agent:model-authored-patch-envelopenode ./dist/scripts/agent-model-authored-patch-envelope-check.js
  • agent:multi-project-isolationnode ./dist/scripts/agent-multi-project-isolation-check.js
  • agent:native-cli-session-proofnode ./dist/scripts/agent-native-cli-session-proof-check.js
  • agent:native-cli-session-swarmnode ./dist/scripts/agent-native-cli-session-swarm-check.js
  • …and 611 more.
Dependencies4
  • @modelcontextprotocol/sdk1.29.0
  • @openai/codex-sdk^0.138.0
  • figlet^1.11.0
  • typescript^5.9.3