Signals CapitalGuard looks for
Postinstall, prepare, or prepublish scripts
Package registry tokens in config files
Agent-accessible dependency update automation
Why it matters
Package scripts can run code during routine install or build steps.
Agent-suggested dependency changes can trigger scripts outside normal review attention.
Registry credentials can expose private packages or publish permissions.
Precautions to take
Require review for dependency and lifecycle-script changes.
Move package registry credentials out of the repo workspace.
Run dependency updates in isolated environments with limited secrets.