Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1
- Versions published
- 2
- First published
- May 2026
- Publisher
- connorlu_1998
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/core/secret-redactor.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/lifecycle-runner.cjs postinstall" | 5 |
Manifest
Package metadata
Scripts41
baseline:collectnode scripts/baseline-collect.mjsbaseline:diffnode scripts/baseline-diff.mjsbuildtsccodex:spec-driver:installbash plugins/spec-driver/scripts/codex-skills.sh installcodex:spec-driver:install:globalbash plugins/spec-driver/scripts/codex-skills.sh install --globalcodex:spec-driver:removebash plugins/spec-driver/scripts/codex-skills.sh removecodex:spec-driver:remove:globalbash plugins/spec-driver/scripts/codex-skills.sh remove --globaldocs:sync:agentsnode scripts/sync-agent-docs.mjseval:competitornode scripts/eval-competitor.mjseval:fixture-checknode scripts/eval-task-fixture-check.mjseval:groundingnode scripts/eval-grounding.mjseval:judgenode scripts/eval-judge.mjseval:judge-jurynode scripts/eval-judge-jury.mjseval:refresh-selfnode scripts/eval-refresh-self.mjseval:repeatnode scripts/eval-batch-repeat.mjseval:reportnode scripts/eval-report.mjseval:task-runnernode scripts/eval-task-runner.mjshooks:checkbash scripts/check-plugin-sync.shhooks:installbash scripts/install-hooks.shlinttsc --noEmitpostinstallnode scripts/lifecycle-runner.cjs postinstallprebuildtsx scripts/inline-d3.tsprepublishOnlynpm run release:check && npm run repo:check && npm run build && npx vitest runpreuninstallnode scripts/lifecycle-runner.cjs preuninstallrelease:checknode scripts/validate-release-contracts.mjsrelease:publishnpm publishrelease:publish:drynpm publish --dry-runrelease:syncnode scripts/sync-release-contracts.mjsrepo:checknode scripts/repo-check.mjsrepo:syncnode scripts/repo-sync.mjs- …and 11 more.
Dependencies12
@anthropic-ai/sdk^0.39.0@modelcontextprotocol/sdk^1.26.0chokidar^4.0.3graphology^0.26.0graphology-communities-louvain^2.0.2graphology-types^0.24.8handlebars^4.7.8openai^6.37.0p-limit^6.1.0ts-morph^24.0.0web-tree-sitter^0.24.7zod^3.24.1
Optional dependencies1
@huggingface/transformers^3.x