Package evidence

@code-yeongyu/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 604
Versions published: 32
First published: May 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@code-yeongyu/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@code-yeongyu/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes16,971,006

Previous version2026.6.10

Published2026-06-12T10:02:37.664Z

SHA-2565c7d003dfaa7860fc943116dd5d72a5fd080a20c05693218a3a19039711b6579

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

28h agoLast checked

reviewRisk

19Score

2026.6.12-2Version

Status history (1 event)

new → available28h ago · risk review · score 19 · status changed

Evidence

Static findings

15 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 15 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/cli/args.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/google-auth-library/build/src/auth/defaultawssecuritycredentialssupplier.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/client-bedrock-runtime/dist-es/models/enums.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@earendil-works/pi-ai/dist/env-api-keys.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/google-auth-library/build/src/auth/googleauth.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js	matched "aws_access_key"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js	matched "aws_access_key"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/package.json	matched ".aws/"	3
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-process/package.json	matched ".aws/"	3
low	Obfuscation Density	package/npm-shrinkwrap.json	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts9

buildtsgo -p tsconfig.build.json && npm run copy-assets && shx chmod +x dist/cli.js && shx cp dist/cli.js dist/senpi && shx chmod +x dist/senpi
build:binarynpm --prefix ../tui run build && npm --prefix ../ai run build && npm --prefix ../agent run build && npm run build && bun build --compile ./dist/bun/cli.js ./src/utils/image-resize-worker.ts --outfile dist/pi && npm run copy-binary-assets
cleanshx rm -rf dist
copy-assetsshx mkdir -p dist/modes/interactive/theme && shx cp src/modes/interactive/theme/*.json dist/modes/interactive/theme/ && shx mkdir -p dist/modes/interactive/assets && shx cp src/modes/interactive/assets/*.png dist/modes/interactive/assets/ && shx mkdir -p dist/core/export-html/vendor && shx cp src/core/export-html/template.html src/core/export-html/template.css src/core/export-html/template.js dist/core/export-html/ && shx cp src/core/export-html/vendor/*.js dist/core/export-html/vendor/
copy-binary-assetsshx cp package.json dist/ && shx cp README.md dist/ && shx cp CHANGELOG.md dist/ && shx mkdir -p dist/theme && shx cp src/modes/interactive/theme/*.json dist/theme/ && shx mkdir -p dist/assets && shx cp src/modes/interactive/assets/*.png dist/assets/ && shx mkdir -p dist/export-html/vendor && shx cp src/core/export-html/template.html dist/export-html/ && shx cp src/core/export-html/vendor/*.js dist/export-html/vendor/ && shx cp -r docs dist/ && shx cp -r examples dist/ && shx cp ../../node_modules/@silvia-odwyer/photon-node/photon_rs_bg.wasm dist/
devtsgo -p tsconfig.build.json --watch --preserveWatchOutput
prepublishOnlynpm run clean && npm run build && npm run shrinkwrap
shrinkwrapnode ../../scripts/generate-coding-agent-shrinkwrap.mjs
testvitest --run

Dependencies29

@anthropic-ai/sdk0.91.1
@aws-sdk/client-bedrock-runtime3.1048.0
@earendil-works/pi-agent-core^2026.6.12-2
@earendil-works/pi-ai^2026.6.12-2
@earendil-works/pi-tui^2026.6.12-2
@mistralai/mistralai2.2.1
@silvia-odwyer/photon-node0.3.4
@smithy/node-http-handler4.7.3
@smithy/types4.8.0
chalk5.6.2
cross-spawn7.0.6
diff8.0.4
get-east-asian-width1.6.0
glob13.0.6
highlight.js10.7.3
hosted-git-info9.0.3
http-proxy-agent7.0.2
https-proxy-agent7.0.6
ignore7.0.5
jiti2.7.0
marked15.0.12
minimatch10.2.5
openai6.26.0
partial-json0.1.7
proper-lockfile4.1.2
proxy-from-env1.1.0
typebox1.1.38
undici8.3.0
yaml2.9.0

Optional dependencies1

@mariozechner/clipboard0.3.9