PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
5
First published
Jun 2026
Publisher
cgarrot

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercgarrot
Artifact bytes750,604
Previous version0.3.0
Published2026-06-04T22:54:00.880Z
SHA-2562fbd66f3ef14686675fff7387c24d5deba3790afc4e76249db91328cafa6af82

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
24Score
0.3.1Version
Status history (1 event)
  1. newavailable · risk review · score 24 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/compute/compute-profile.tsmatched ".npmrc"5
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/project-dna/project-dna.tsmatched ".npmrc"5
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/coms/coms-v2/transcript-capture.tsmatched "aws_access_key"5
lowCredential file accesspackage/.pi/factories/project-dna/example-project-dna-manifest-v2.jsonmatched "id_rsa"3
lowCredential file accesspackage/.pi/factories/project-dna/example-project-dna-manifest.jsonmatched "id_rsa"3
lowCredential file accesspackage/.pi/compute-profiles/risk-rules.jsonmatched "id_rsa"3

Manifest

Package metadata

Scripts38
  • checktsc --noEmit --pretty false
  • check:cinpm run check -- --pretty false
  • demo:pacmannode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs auto
  • demo:pacman:preparenode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs prepare
  • demo:pacman:statusnode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs status
  • demo:pacman:validatenode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs validate
  • emit:project-dna-golden-cases:smokenode scripts/project-dna/emit-golden-cases.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • emit:project-dna-ontology:smokenode scripts/project-dna/emit-ontology.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • pack:dry-runnpm pack --dry-run --json
  • pipi
  • pi:checkpi --offline --no-session --no-extensions -e ./.pi/extensions/zob-harness/index.ts -p 'Reply exactly: zob-harness-ok'
  • pi:explorepi --no-extensions -e ./.pi/extensions/zob-harness/index.ts --tools read,grep,find,ls,delegate_agent --append-system-prompt 'Start in ZOB explore mode.'
  • plan:project-dna-workflow:smokenode scripts/project-dna/plan-workflow.mjs --manifest .pi/factories/project-dna/example-project-dna-manifest-v2.json --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/agentic-plan.json
  • smoke:autonomy-readiness-secretnode scripts/autonomy/mission-readiness-secret-smoke.mjs
  • smoke:child-goal-refnode scripts/goal-todo/child-goal-ref-smoke.mjs
  • smoke:compute-profile-regressionnode scripts/compute-profile/regression-smoke.mjs
  • smoke:git-opsnode scripts/git-ops/commit-policy-smoke.mjs
  • smoke:harnessnpm run smoke:path-policy && npm run smoke:child-goal-ref
  • smoke:harness-switchnode scripts/harness-switch/static-smoke.mjs
  • smoke:path-policynode scripts/path-policy/validate-smoke.mjs
  • smoke:project-dna-scannode scripts/project-dna/scan.mjs --source-path .pi/factories/project-dna --source-id project-dna-factory --out-dir reports/project-dna-scans/project-dna-factory-smoke
  • smoke:worker-poolnode scripts/worker-pool/static-smoke.mjs
  • smoke:zagentnode scripts/zagent-static-smoke.mjs
  • smoke:zpeernode scripts/zpeer-static-smoke.mjs && node scripts/zpeer-local-e2e-smoke.mjs
  • spec-runnode scripts/spec-run.mjs
  • spec-run:auto-pilotnode scripts/spec-run.mjs auto-pilot
  • steward:project-dna-query:smokenode scripts/project-dna/query-steward.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --query 'How does ProjectDNA keep bounded cited context?' --golden-case-id agentic-control-plane --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/query-steward-smoke.json
  • validate:agentic-spec-teamnode scripts/agentic-spec-team/validate-run.mjs
  • validate:compute-profile-policynode scripts/compute-profile/validate-policy.mjs
  • validate:model-catalognode scripts/model-catalog/validate.mjs
  • …and 8 more.