PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
219
Versions published
164
First published
Jan 2026
Publisher
htafolla

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherhtafolla
Artifact bytes961,652
Previous version1.22.66
Published2026-06-02T12:11:18.976Z
SHA-2564274dc606bd8ec6d9ad5e112ba1ae3d03a16ecefc4c6ebc57412d206648de40b

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
17Score
1.22.67Version
Status history (1 event)
  1. newavailable · risk review · score 17 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/commands/skill-install.jsmatched "curl "12
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/commands/skill-install.jsmatched "curl "12
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/node/postinstall.cjs"5

Manifest

Package metadata

Scripts62
  • buildtsc && mkdir -p dist/public dist/scripts && cp -r public/* dist/public/ && cp scripts/hooks/pre-command dist/scripts/ && cp scripts/hooks/pre-command.mjs dist/scripts/ && cp README.md AGENTS.md CHANGELOG.md LICENSE dist/ && find src -name '*.mjs' ! -path '*/__tests__/*' | while read f; do tgt="dist/${f#src/}"; mkdir -p "$(dirname $tgt)"; cp "$f" "$tgt"; done && for dir in skills integrations mcps; do find src/$dir -type f ! -name '*.ts' ! -path '*/.pytest_cache/*' | while read f; do tgt="dist/${f#src/}"; mkdir -p "$(dirname $tgt)"; cp "$f" "$tgt"; done; done && mkdir -p dist/plugin && (find dist/plugin -name '*codex-injection*.js' -exec cp {} dist/plugin/xray-codex-injection.js \; 2>/dev/null || true) && cp -r src/opencode/ .opencode/ && rm -rf .opencode/strray 2>/dev/null || true
  • build:allnpm run build
  • build:cleannode scripts/build/utils.js clean
  • build:runnode scripts/build/utils.js build
  • build:verifynode scripts/build/utils.js verify
  • ci-installnpm ci
  • cleanrm -rf dist tsconfig.tsbuildinfo tsconfig.*.tsbuildinfo
  • config:setupnode scripts/config/utils.js setup-dev
  • debug:inference:forceXRAY_FORCE_MCP_GOVERNANCE=true XRAY_DEV_PATH=dist node dist/cli/index.js inference:run --force
  • enforce:versionsbash scripts/node/enforce-version-compliance.sh
  • linteslint -c tests/config/eslint.config.js src
  • lint:fixeslint src --fix
  • monitoring:reportnode scripts/monitoring/daemon.js report
  • monitoring:startnode scripts/monitoring/daemon.js start
  • monitoring:stopnode scripts/monitoring/daemon.js stop
  • postinstallnode scripts/node/postinstall.cjs
  • pre-publish-guardnode scripts/node/pre-publish-guard.js
  • prebuildrm -rf dist tsconfig.tsbuildinfo tsconfig.*.tsbuildinfo
  • prepare-consumernode scripts/node/prepare-consumer.cjs
  • prepublishOnlynpm run prepare-consumer && npm run build:all && find dist -name '*.d.ts' -o -name '*.d.ts.map' -o -name '*.js.map' | xargs rm -f
  • preversionnpm run version:sync
  • publishnpm run pre-publish-guard && npm run safe-publish
  • releasenode scripts/node/release.js
  • release:drynode scripts/node/release.js --dry-run
  • release:majornode scripts/node/release.mjs major
  • release:minornode scripts/node/release.mjs minor
  • release:patchnode scripts/node/release.mjs patch
  • safe-publishnpm run prepare-consumer && npm run build
  • security-auditnpm audit || true
  • setup-devnode scripts/node/setup-dev.cjs
  • …and 32 more.
Dependencies5
  • @modelcontextprotocol/sdk^1.0.4
  • commander^11.1.0
  • express^5.2.1
  • jsonwebtoken^9.0.3
  • ws^8.16.0