PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
361
Versions published
10
First published
Jun 2026
Publisher
cgarrot

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercgarrot
Artifact bytes829,634
Previous version0.7.0
Published2026-06-05T16:06:04.827Z
SHA-256dd24d6d9022ba8b71723879c3ecdae41f269b2a37a4bb4d76861636c4b6b18c9

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
24Score
0.7.1Version
Status history (1 event)
  1. newavailable · risk review · score 24 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/compute/compute-profile.tsmatched ".npmrc"5
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/project-dna/project-dna.tsmatched ".npmrc"5
lowCredential file accesspackage/.pi/extensions/zob-harness/src/domains/coms/coms-v2/transcript-capture.tsmatched "aws_access_key"5
lowCredential file accesspackage/.pi/factories/project-dna/example-project-dna-manifest-v2.jsonmatched "id_rsa"3
lowCredential file accesspackage/.pi/factories/project-dna/example-project-dna-manifest.jsonmatched "id_rsa"3
lowCredential file accesspackage/.pi/compute-profiles/risk-rules.jsonmatched "id_rsa"3

Manifest

Package metadata

Scripts66
  • bench:project-dna:smokenode scripts/project-dna/bench-smoke.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/bench/benchmark-smoke.json
  • build:project-dna-capsules:smokenode scripts/project-dna/build-capsules.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • build:project-dna-sample-spec:smokenode scripts/project-dna/build-sample-spec.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • checktsc --noEmit --pretty false
  • check:cinpm run check -- --pretty false
  • demo:pacmannode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs auto
  • demo:pacman:preparenode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs prepare
  • demo:pacman:statusnode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs status
  • demo:pacman:validatenode .pi/zteams/agent-factory-pacman-multiplayer-runtime.mjs validate
  • emit:project-dna-golden-cases:smokenode scripts/project-dna/emit-golden-cases.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • emit:project-dna-ontology:smokenode scripts/project-dna/emit-ontology.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}
  • generate:project-dna-sample:smokenode scripts/project-dna/generate-sample.mjs --sample-spec ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/sample-spec.json --out-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/quarantine/sample-project
  • harness:intakenode scripts/harness-intake/launch.mjs
  • harness:intake:infernode scripts/harness-intake/infer-run-spec.mjs
  • harness:intake:scannode scripts/harness-intake/scan-sources.mjs
  • harness:intake:session-smokenode scripts/harness-intake/launch.mjs --target examples/harness-intake-fixtures/claude-code-mini --harness claude-code --allow-sessions --mode smoke "You may read the sessions in examples/harness-intake-fixtures/claude-code-mini; identify the workflows and propose a reusable ZOB team."
  • harness:intake:smokenode scripts/harness-intake/launch.mjs --demo --mode smoke "Analyze examples/agent-factory-tmux-comms as an Agent Factory tmux setup and propose a reusable ZOB team."
  • harness:intake:tmuxnode scripts/harness-intake/tmux-launch.mjs
  • harness:intake:validatenode scripts/harness-intake/validate-run.mjs
  • oracle:project-dna:smokenode scripts/project-dna/oracle-review-smoke.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --benchmark ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/bench/benchmark-smoke.json
  • pack:dry-runnpm pack --dry-run --json
  • pipi
  • pi:checkpi --offline --no-session --no-extensions -e ./.pi/extensions/zob-harness/index.ts -p 'Reply exactly: zob-harness-ok'
  • pi:explorepi --no-extensions -e ./.pi/extensions/zob-harness/index.ts --tools read,grep,find,ls,delegate_agent --append-system-prompt 'Start in ZOB explore mode.'
  • plan:compute-workflow:project-dna-smokenode scripts/compute-profile/plan-workflow.mjs --resolution ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/compute-profile-resolution.json --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/compute-workflow-shape.json
  • plan:project-dna-workflow:smokenode scripts/project-dna/plan-workflow.mjs --manifest .pi/factories/project-dna/example-project-dna-manifest-v2.json --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/agentic-plan.json
  • preview:compute-profile:project-dna-smokenode scripts/compute-profile/preview.mjs --domain project-dna --path .pi/factories/project-dna --requested auto --run-id project-dna-smoke --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/compute-preview.json --resolution-out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/compute-profile-resolution.json
  • query:project-dna:smokenode scripts/project-dna/query-context.mjs --scan-dir ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke} --query 'How does ProjectDNA keep bounded cited context?' --golden-case-id agentic-control-plane --out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/query-result-smoke.json --steward-report-out ${PROJECT_DNA_SCAN_DIR:-reports/project-dna-scans/project-dna-factory-smoke}/query-steward-smoke.json
  • release:dry-runsemantic-release --dry-run --no-ci
  • release:previewnode scripts/release/preview.mjs
  • …and 36 more.