Package evidence

@pencil-agent/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 666
Versions published: 124
First published: Feb 2026
Publisher: lucy.cl

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pencil-agent/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pencil-agent/[email protected]"],"fail_on":"review"}'

Publisherlucy.cl

Artifact bytes32,696,947

Previous version1.11.38

Published2026-04-10T15:05:50.337Z

SHA-256535b7b074b213237e0d49ce8a2dc29eea70952211ae4357c57b356d600515a8b

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

2d agoLast checked

reviewRisk

76Score

1.11.39Version

Status history (1 event)

new → available2d ago · risk review · score 76 · status changed

Evidence

Static findings

16 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 16 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/cli/args.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/google-auth-library/build/src/auth/defaultawssecuritycredentialssupplier.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/client-bedrock-runtime/dist-es/models/enums.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@pencil-agent/ai/dist/env-api-keys.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/google-auth-library/build/src/auth/googleauth.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/extensions/defaults/security-audit/index.js	matched ".ssh/"	5
low	Credential file access	package/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js	matched "aws_access_key"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/extensions/defaults/security-audit/interface.js	matched ".ssh/"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js	matched "aws_access_key"	5
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-ini/package.json	matched ".aws/"	3
low	Credential file access	package/node_modules/@aws-sdk/credential-provider-process/package.json	matched ".aws/"	3

Manifest

Package metadata

Scripts16

buildnpm run clean:dist && npm run build:deps && tsc && npm run copy:theme:json && npm run copy:assets && npm run bundle:packages
build:depsnpm run build --prefix packages/ai && npm run build --prefix packages/agent-core && npm run build --prefix packages/tui
bundle:packagesnode scripts/bundle-deps.js
changelognode scripts/generate-changelog.js
clean:distnode -e "require('fs').rmSync('dist',{recursive:true,force:true})"
copy:assetsnode scripts/copy-assets.js
copy:theme:jsonnode -e "const fs=require('fs');const p=require('path');const d='dist/modes/interactive/theme';if(!fs.existsSync(d))fs.mkdirSync(d,{recursive:true});fs.readdirSync('modes/interactive/theme').forEach(f=>{if(f.endsWith('.json'))fs.copyFileSync(p.join('modes/interactive/theme',f),p.join(d,f))})"
devtsx cli.ts
prepublishOnlynpm run build
releasenpm run changelog && npm version patch && npm publish
startnpx cross-env NODE_ENV=production node --no-deprecation dist/cli.js
test:interactive-memory-notifynode --test --import tsx test/interactive-memory-notify.test.ts
test:presencenode --test --import tsx test/presence-opening.test.ts
test:subagentnode --test --import tsx test/subagent-parser.test.ts test/worktree-manager.test.ts test/bash-sandbox.test.ts
test:teamnode --test --import tsx test/team-parser.test.ts test/team-runtime.test.ts
watchtsc --watch

Dependencies17

@agentclientprotocol/sdk^0.16.1
@mariozechner/clipboard^0.3.2
@mariozechner/jiti^2.6.2
@silvia-odwyer/photon-node^0.3.4
chalk^5.5.0
cli-highlight^2.1.11
diff^8.0.2
extract-zip^2.0.1
file-type^21.1.1
glob^13.0.1
hosted-git-info^9.0.2
ignore^7.0.5
marked^15.0.12
minimatch^10.1.1
proper-lockfile^4.1.2
yaml^2.8.2
zod^4.3.6