PkgRadar

Package evidence

@pensar/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
502Established · −30% score
First published
Oct 2025
Publisher
josh-pensar

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pensar/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pensar/[email protected]"],"fail_on":"review"}'
Publisherjosh-pensar
Artifact bytes2,819,398
Previous version2.0.1-canary.1323a969
Published2026-06-20T06:26:58.452Z
SHA-256e0367372f938d7a87c6fe800b6c3ae5032860a89408d1e2c809f034ae3aa7550

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
2.0.1-canary.65b1dc91Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/build/doctor-p231vasj.jsmatched "AWS_ACCESS_KEY"5
lowLarge Javascript Payloadpackage/build/cli-zrzp8k7n.js5190562 bytes0
lowLarge Javascript Payloadpackage/build/index-g5xvqy51.js2165431 bytes0

Manifest

Package metadata

Scripts26
  • buildbun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave
  • build:binariesbun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64
  • build:binarybun run generate:ascii && bun build src/cli.ts --compile --outfile pensar
  • build:binary:linux-arm64bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64
  • build:binary:linux-x64bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64
  • build:binary:macos-arm64bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64
  • build:binary:macos-x64bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64
  • checkbiome check --write
  • check:cibiome check
  • daytona-benchmarkbun run scripts/daytona-benchmark.ts
  • devbun run scripts/watch.ts
  • dev:debugSHOW_CONSOLE=true bun run scripts/watch.ts
  • formatbiome check --write && prettier --write "**/*.{md,yml,yaml}"
  • format:checkbiome check && prettier --check "**/*.{md,yml,yaml}"
  • generate:asciibun run scripts/generate-ascii-art.ts
  • generate:modelsbun run scripts/generate-models.ts
  • knipknip
  • lintbiome lint src/
  • lint:fixbiome lint --write src/
  • local-benchmarkbun run scripts/local-benchmark.ts
  • pensarnode bin/pensar.js
  • prepublishOnlynpm run build
  • startbun run src/tui/index.tsx
  • testvitest run
  • test:watchvitest
  • tsctsc --noEmit
Dependencies30
  • @ai-sdk/amazon-bedrock^4.0.113
  • @ai-sdk/anthropic^3.0.81
  • @ai-sdk/google^3.0.37
  • @ai-sdk/openai3.0.46
  • @ai-sdk/openai-compatible^2.0.35
  • @ai-sdk/provider^3.0.8
  • @daytonaio/sdk^0.112.1
  • @googleapis/gmail^16.1.1
  • @microsoft/microsoft-graph-client^3.0.7
  • @modelcontextprotocol/sdk^1.0.0
  • @openrouter/ai-sdk-provider^2.2.3
  • @opentelemetry/api^1.9.0
  • @opentui/core^0.1.107
  • @opentui/react^0.1.107
  • @pensar/surface0.2.2
  • @playwright/mcp^0.0.54
  • ai^6.0.105
  • glob^13.0.0
  • highlight.js^11.11.1
  • imapflow^1.2.10
  • mailparser^3.9.3
  • marked^16.4.0
  • mime-types^3.0.2
  • nodemailer^8.0.7
  • p-limit^7.2.0
  • react^19.2.0
  • sharp^0.34.4
  • tldts^7.0.28
  • yaml^2.8.2
  • zod^3.25.76
Optional dependencies1
  • weave^0.12.1