← Back to Skills Marketplace
jelllove

Fix NPM Vulnerabilities

by jelllove · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
92
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install fix-npm-vuln
Description
This skill should be used when the user asks about "npm vulnerabilities", "npm audit", "fix npm security", "security vulnerabilities in packages", "vulnerabl...
README (SKILL.md)

NPM Vulnerability Fix Skill

This skill provides guidance when users mention npm security vulnerabilities and suggests the automated fix workflow.

When This Skill Applies

This skill activates when the user's request involves:

  • Running npm audit or discussing audit results
  • Fixing npm security vulnerabilities
  • Updating vulnerable npm dependencies
  • Dealing with outdated packages that have known CVEs
  • Security scanning of Node.js projects

Guidance

When a user mentions npm vulnerabilities or security issues in their Node.js project, suggest using the /fix-npm-vuln slash command which provides a complete automated workflow:

  1. Clean working tree — reverts uncommitted changes (with confirmation)
  2. Branch management — switches to main, pulls latest, creates a fix branch
  3. Vulnerability scanning — scans all package.json directories
  4. Automated fixing — runs npm audit fix with smart escalation
  5. Clean environment — removes all node_modules, build caches, and reinstalls dependencies fresh
  6. Build verification — ensures the project still builds
  7. Test verification — ensures tests still pass
  8. Summary report — displays all changes made

Suggested Response

When this skill activates, inform the user:

You can use /fix-npm-vuln to run a complete automated npm vulnerability fix workflow. It will scan all project directories, fix vulnerabilities, verify builds and tests, and create a dedicated branch with all the changes. Would you like to run it?

Important Notes

  • The command requires a git repository to work
  • It will create a new branch for the fixes (does not modify main directly)
  • User confirmation is required before reverting any uncommitted changes
  • Build and test failures are handled interactively

Tool Auto-Installation

If a tool required to complete any step is not installed on the current machine, apply the following policy before asking the user:

  1. Check availability — verify whether the tool is missing (e.g. where tool or which tool returns nothing)
  2. Assess risk — a tool is considered low-risk if it is:
    • Publicly available (official npm package, well-known CLI, OS package manager)
    • Widely used and maintained (e.g. npm-check-updates, snyk, yarn, pnpm)
    • Non-destructive by default (does not modify system files, does not require elevated permissions)
  3. Auto-install if low-risk — install silently without asking the user:
    • npm global tool: npm install -g \x3Ctool>
    • winget (Windows): winget install \x3Ctool>
    • Other package managers as appropriate for the OS
  4. Ask the user if high-risk — if the tool requires admin rights, modifies system config, or is from an unverified source, show the install command and ask for confirmation before proceeding.
Usage Guidance
This skill appears to genuinely aim at automating npm vulnerability fixes, but it includes a policy to auto-install tools silently (npm -g, winget, etc.) and will modify your git repo (reverting changes, creating branches, running builds/tests). Before installing or running it: 1) disable or remove the silent auto-install behavior and require explicit consent for any global/system installs; 2) ask which exact packages (names and versions/hashes) it will install and prefer pinned versions from known maintainers; 3) run the workflow in a disposable environment (container or VM) or on a CI branch to avoid unintended changes; 4) ensure you have a backup of your repo and CI runs before merging automated fixes; 5) require confirmation for any destructive actions (revert, global install, or admin-elevated commands). These mitigations reduce risk while still allowing the skill to perform its intended purpose.
Capability Analysis
Type: OpenClaw Skill Name: fix-npm-vuln Version: 1.0.1 The SKILL.md file contains instructions that direct the AI agent to perform silent global installations of software (e.g., 'npm install -g <tool>') without seeking user confirmation. While the stated intent is to facilitate npm vulnerability remediation using tools like 'snyk' or 'pnpm', the instruction to bypass user consent for system-level changes is a significant security risk that could be exploited to install arbitrary packages. This behavior qualifies as a high-risk vulnerability/pattern rather than confirmed malice.
Capability Assessment
Purpose & Capability
Name/description and SKILL.md align: the skill focuses on running npm audit/fixes, scanning package.json, creating a fix branch, building and testing. Required resources declared (none) are consistent with a guidance-only skill.
Instruction Scope
SKILL.md instructs the agent to read project files (package.json), manage git state (revert uncommitted changes, switch branches), run build/tests, and — importantly — to auto-install missing tools. The silent auto-install policy (install without asking for 'low-risk' tools) grants the agent broad discretion to download and run software and modify the system, which goes beyond simply advising on npm vulnerabilities.
Install Mechanism
Although the skill bundle has no install spec, the runtime policy directs using npm global installs, winget, and other package managers. Global npm installs and package-manager installs download and execute code from external registries — this is moderate-to-high risk when done automatically and silently, especially if the exact packages are not pre-specified or pinned.
Credentials
The skill does not request credentials or environment variables, which is appropriate. However, the workflow may require network access and elevated permissions to install global tools and will modify the user's git repository; these side effects are not expressed as required permissions and could surprise users.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills, but its instructions modify system state (installing global tools) and repository state (creating branches, reverting changes). That behavior is expected for remediation but should require explicit user confirmation; the SKILL.md's silent install rule is the main privilege concern.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fix-npm-vuln
  3. After installation, invoke the skill by name or use /fix-npm-vuln
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Re-publish with formatting fixes
v1.0.0
Initial release of fix-npm-vuln: - Introduces a skill for addressing npm vulnerabilities in Node.js projects. - Guides users on when and how to use the /fix-npm-vuln automated fix workflow. - Outlines step-by-step process: from scanning to auto-fixing vulnerabilities, branch management, build/test verification, and summary reporting. - Describes auto-installation policy for required tools, handling common package managers and safety checks. - Provides recommended user-facing response and important operational notes.
Metadata
Slug fix-npm-vuln
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Fix NPM Vulnerabilities?

This skill should be used when the user asks about "npm vulnerabilities", "npm audit", "fix npm security", "security vulnerabilities in packages", "vulnerabl... It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install Fix NPM Vulnerabilities?

Run "/install fix-npm-vuln" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Fix NPM Vulnerabilities free?

Yes, Fix NPM Vulnerabilities is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Fix NPM Vulnerabilities support?

Fix NPM Vulnerabilities is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Fix NPM Vulnerabilities?

It is built and maintained by jelllove (@jelllove); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments