Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 342
- Versions published
- 16
- First published
- Feb 2026
- Publisher
- michielhdoteth
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: postinstall added in 1.1.5 vs 1.0.2: "node scripts/init-dirs.mjs"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 60 · status changed
Evidence
Static findings
4 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 1.1.5 vs 1.0.2: "node scripts/init-dirs.mjs" | 40 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 1.1.5 vs 1.0.2: "node scripts/init-dirs.mjs" | 40 |
| low | Credential file access | package/dist/core/embeddings/google-multimodal.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/core/security/secret-detector.js | matched "aws_access_key" | 5 |
| low | Install-time lifecycle script | package.json | install="node scripts/install-interactive.mjs" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/init-dirs.mjs" | 5 |
Manifest
Package metadata
Scripts29
benchbun benchmark/memory.tsbench:dbbun benchmark/run.tsbuildtsc && node scripts/copy-runtime-assets.mjscheck:secretsnode scripts/check-secrets.jscleanrm -rf dist && rm -f *.logdb:generatedrizzle-kit generatedb:migratedrizzle-kit migratedb:pushdrizzle-kit pushdb:studiodrizzle-kit studiodeps:checknode scripts/dependency-manager.mjsdeps:installnode scripts/dependency-manager.mjsdetect:clientsnode scripts/detect-clients.mjsdevbun --hot index.tsdev:db:checknode scripts/check-db.mjsdev:db:initnode scripts/init-db.mjsdev:db:recreatenode scripts/recreate-db.mjsdev:mcpbun --hot core/commands/mcp-server.tsfallback:drynode scripts/squish-fallback.mjs --op health --simulate-mcp-failure --dry-runinstallnode scripts/install-interactive.mjsmcpnode dist/core/commands/mcp-server.jspostinstallnode scripts/init-dirs.mjspreflight:remotenode scripts/remote-preflight.mjspreparehuskyprepublishOnlynpm run clean && npm run buildrelease./scripts/build-release.sh && ./scripts/github-release.shstartnode dist/index.jstestnode --test dist/tests/**/*.test.jstest:interactivenode scripts/test-interactive.mjsverify:mcpnode scripts/verify-mcp.mjs
Dependencies21
@clack/prompts^0.7.0@modelcontextprotocol/sdk^1.27.1@neondatabase/serverless^1.0.2better-sqlite312.6.2bull^4.16.0commander^12.0.0cors2.8.6dotenv^16.4.0drizzle-orm^0.38.0express^5.2.1express-rate-limit^8.3.1hono^4.12.8node-cron^3.0.0pg^8.20.0pgvector^0.2.0picocolors^1.0.0redis^5.11.0sql.js^1.14.1uuid^13.0.0ws^8.18.0zod^3.24.0