skills @1.5.3
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
50
Risk Score
—
License
No
Install Scripts
1
Dependencies
12
Dev Dependencies
92.8 KB
Package Size
Published
Maintainers
rauchgquuu
Keywords
cliagent-skillsskillsai-agentsaider-deskampantigravityaugmentbobclaude-codeopenclawclinecodearts-agentcodebuddycodemakercodestudiocodexcommand-codecontinuecortexcrushcursordeepagentsdevindextodroidfirebenderforgecodegemini-cligithub-copilotgoosejunieiflow-clikilokimi-clikiro-clikodemcpjammistral-vibemuxopencodeopenhandspiqoderqwen-codereplitrovodevrootabnine-clitraetrae-cnwarpwindsurfzencoderneovatepochiadaluniversal
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| yaml | ^2.8.3 | auto_approved |
Dev Dependencies (12)
| Package | Constraint | Registry Status |
|---|---|---|
| husky | ^9.1.7 | auto_approved |
| obuild | ^0.4.22 | pending |
| vitest | ^4.0.17 | auto_approved |
| prettier | ^3.8.1 | auto_approved |
| @types/bun | latest | auto_approved |
| picocolors | ^1.1.1 | auto_approved |
| simple-git | ^3.27.0 | auto_approved |
| typescript | ^5.9.3 | auto_approved |
| @types/node | ^22.10.0 | auto_approved |
| lint-staged | ^16.2.7 | auto_approved |
| xdg-basedir | ^5.1.0 | auto_approved |
| @clack/prompts | ^0.11.0 | auto_approved |
Transitive Dependency Tree
1 transitive deps
max depth 1
├─
yaml
^2.8.3
→ 2.8.3
Changes from v1.5.1
No metadata changes detected.
File Changes
0 added
0 removed
3 modified
size delta: +6.1 KB
Risk Dispositions (2 applicable to this version, 2 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Prior versions had CI/CD attestations; missing provenance on a new publisher is a strong compromise signal. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from GitHub Actions to a new npm account with no prior publish history on this package. |
Show 2 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
maintainer-removed |
maintainer-change | reject | AI | AI (maintainer-change): Original maintainer removed and replaced by new publisher with a prior rejection; takeover pattern generalizes. | |
net-exec-file:dist/_chunks/libs/gray-matter.mjs |
source-diff | reject | AI | AI (source-diff): Network + code execution in newly added bundled file is a dropper/loader indicator; generalizes to this publisher's versions. |
SAST Findings (2)
HIGH
Provenance attestation missing — previous versions had it
provenance
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
HIGH
Publisher changed: GitHub Actions → quuu (on 2026-04-28)
provenance
This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 50. Findings: 2 high (+50).
Commit: 592b2f61b47a Browse source
Published to npm: