← Back to Skills Marketplace
robinyves

Npm Supply Chain Security

by Robinyves · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
114
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install npm-supply-chain-security
Description
Help secure JavaScript projects by detecting malicious npm packages, enforcing trusted publishing, verifying releases, and auditing dependencies for threats.
Usage Guidance
This skill appears coherent and aligned with its stated purpose, but the package comes from an unknown source with no homepage — so do not run any example scripts or CI steps verbatim without review. Before using: (1) inspect and test Python/JS snippets in a sandbox, (2) ensure any tokens used are scoped and short-lived (least privilege), (3) prefer GitHub Actions workflows that use OIDC or limited publish tokens, and (4) verify the skill/author provenance (repo, signatures, or known maintainer) before applying its automation to production repositories.
Capability Analysis
Type: OpenClaw Skill Name: npm-supply-chain-security Version: 1.0.0 The skill bundle provides educational content and utility scripts focused on npm supply chain security, including GitHub Actions workflows for trusted publishing and Python/JavaScript scripts for auditing dependencies. No malicious behavior, data exfiltration, or prompt injection attempts were found in SKILL.md or the associated code examples.
Capability Assessment
Purpose & Capability
Name/description (npm supply-chain security) match the content of SKILL.md: guidance, heuristics, and example scripts for verifying releases, configuring trusted publishing, and auditing dependencies. Nothing required by the skill (no env vars, no installs) is disproportionate to that purpose.
Instruction Scope
Runtime instructions and code examples only access npm registry and GitHub APIs and read package.json for local audits — all relevant to the stated purpose. The examples do not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
Install Mechanism
No install spec or executable downloads are present (instruction-only). This minimizes disk footprint and reduces install-time risk.
Credentials
The skill declares no required environment variables or credentials. Examples reference typical tokens (NODE_AUTH_TOKEN, short-lived tokens) appropriate for publishing workflows; nothing asks for unrelated secrets or broad credentials.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. There is no evidence it attempts to persist credentials or alter agent-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install npm-supply-chain-security
  3. After installation, invoke the skill by name or use /npm-supply-chain-security
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release – protect JavaScript projects from npm supply chain attacks using practical security examples and heuristics. - Explains key supply chain risks, including real-world incidents - Details best practices: trusted publishing, release verification, dependency monitoring, and token management - Provides example code for trusted publishing (npm, GitHub Actions) and red flag detection scripts (Python, JavaScript) - Lists tool dependencies for script usage
Metadata
Slug npm-supply-chain-security
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Npm Supply Chain Security?

Help secure JavaScript projects by detecting malicious npm packages, enforcing trusted publishing, verifying releases, and auditing dependencies for threats. It is an AI Agent Skill for Claude Code / OpenClaw, with 114 downloads so far.

How do I install Npm Supply Chain Security?

Run "/install npm-supply-chain-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Npm Supply Chain Security free?

Yes, Npm Supply Chain Security is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Npm Supply Chain Security support?

Npm Supply Chain Security is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Npm Supply Chain Security?

It is built and maintained by Robinyves (@robinyves); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments