Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,024Niche · −30% score
Versions published: 130
First published: Dec 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes2,975,510

Previous version5.16.0

Published2026-06-08T07:36:27.586Z

SHA-256578e91a09e6b058993d7a2c5b022263efe860395715ec880eccade034c8eb7b3

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

9d agoLast checked

reviewRisk

2Score

5.17.0Version

Status history (1 event)

new → available9d ago · risk review · score 2 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/bundled/ai/standards/adversarial-test.ai.yaml	matched ".ssh/"	3
low	Credential file access	package/bundled/ai/options/release/publish-mode-github-actions.ai.yaml	matched ".npmrc"	3
low	Credential file access	package/bundled/ai/standards/security-testing.ai.yaml	matched ".npmrc"	3

Manifest

Package metadata

Scripts20

check:bundle-paritynode scripts/check-bundle-parity.mjs
generate:e2e-specnode scripts/generate-e2e-spec.mjs
linteslint src/
prepacknode scripts/prepack.mjs
preparenode ../scripts/setup-husky.mjs
testvitest run
test:allvitest run && vitest run tests/e2e/
test:certificatenode scripts/generate-test-certificate.mjs
test:civitest run --pool=forks --reporter=verbose --no-color tests/unit/ tests/utils/ tests/commands/ tests/prompts/
test:coveragevitest run --coverage
test:devnode scripts/test-discovery.mjs run development
test:discovernode scripts/test-discovery.mjs
test:e2evitest run tests/e2e/
test:fastvitest run --exclude tests/e2e/
test:quicknode scripts/test-discovery.mjs run development
test:unitvitest run tests/unit/ tests/utils/ tests/commands/ tests/prompts/
test:upgradenode scripts/test-upgrade-path.mjs
test:verifynode scripts/verify-test-certificate.mjs
test:watchvitest
test:with-certnpm test && npm run test:certificate

Dependencies5

@inquirer/prompts^8.4.2
chalk^5.3.0
commander^14.0.0
js-yaml^4.1.0
ora^9.4.0