← Back to Skills Marketplace
10
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install npm-publish
Description
Publish an NPM package to the registry, handling authentication via browser-based login with 2FA/security key support.
README (SKILL.md)
NPM Publish Skill
Publish an NPM package to the registry. Handles authentication including 2FA and security key (WebAuthn) flows.
Prerequisites
- Node.js 22+ and npm installed
- Package.json with correct name, version, and
prepublishOnlyscript - Password manager CLI (optional, for retrieving credentials)
Process
Step 1: Verify Package Readiness
npm run build:hooks # or whatever build step exists
npm test # ensure tests pass
- Build succeeds
- Tests pass
Step 2: Check NPM Authentication
npm whoami
- If this returns a username → already authenticated, skip to Step 5.
- If this returns
E401→ need to authenticate, continue to Step 3.
Step 3: Retrieve Credentials (Optional)
If the user has a password manager CLI, retrieve credentials:
rbw (Bitwarden):
rbw get npmjs.com # returns password
rbw get --full npmjs.com # returns username + password + URIs
Other password managers — ask the user how to retrieve their NPM credentials:
pass:pass show npmjs.com1password:op item get "npmjs.com" --fields label=username,label=passwordgopass:gopass show npmjs.com- Custom: ask user for their CLI command
Extract:
- Username from the full output
- Password from the first line of output
Step 4: Browser-Based Login (REQUIRED for 2FA/Security Key)
NPM requires browser-based authentication when 2FA or security keys are enabled. Use the user's default browser, not a test/headless browser.
4a: Start npm login (opens browser for 2FA)
npm login
This prints a URL like:
https://www.npmjs.com/login?next=/login/cli/\x3Cuuid>
4b: Open the login URL in the user's default browser
open "\x3Cthe-login-url>"
On macOS, open uses the user's default browser with all their existing sessions, cookies, and extensions — including security key/WebAuthn support.
4c: Automate credential entry (optional, if no existing browser session)
If the user is NOT already logged into npmjs.com in their browser, use Playwright with the user's Chrome profile to fill credentials:
npx playwright install chromium # first time only
Then run a script like:
import { chromium } from 'playwright';
import { writeFileSync } from 'fs';
import { homedir } from 'os';
import { join } from 'path';
import { execSync } from 'child_process';
// Get credentials from password manager or user
const NPM_USER = '\x3Cusername from password manager>';
const NPM_PASS = '\x3Cpassword from password manager>';
// Use user's Chrome — NOT headless, NOT test browser
// channel: 'chrome' uses the system Chrome installation
const browser = await chromium.launch({ headless: false, channel: 'chrome' });
const context = await browser.newContext();
const page = await context.newPage();
await page.goto('https://www.npmjs.com/login');
await page.waitForLoadState('networkidle');
// Fill username
const usernameInput = page.locator('input#username, input[name="username"], input[type="text"]').first();
await usernameInput.waitFor({ timeout: 10000 });
await usernameInput.fill(NPM_USER);
// Fill password
const passwordInput = page.locator('input#password, input[name="password"], input[type="password"]').first();
await passwordInput.waitFor({ timeout: 5000 });
await passwordInput.fill(NPM_PASS);
// Click sign in
const signInBtn = page.locator('button[type="submit"], button:has-text("Sign In"), button:has-text("Log In")').first();
await signInBtn.click();
// Wait for user to complete 2FA/security key in the browser
console.log('Waiting for 2FA/security key authentication...');
const result = await Promise.race([
page.waitForURL('**/dashboard**', { timeout: 300000 }).then(() => 'dashboard'),
page.waitForURL('**/login/cli/**', { timeout: 300000 }).then(() => 'cli-callback'),
page.waitForURL('**/~**', { timeout: 300000 }).then(() => 'profile'),
]).catch(() => 'timeout');
console.log('Login result:', result, 'URL:', page.url());
// After successful login, create an automation token via the NPM API
if (result !== 'timeout') {
const tokenResult = await page.evaluate(async () => {
const res = await fetch('/-/npm/v1/tokens', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password: '\x3CNPM_PASS>', readonly: false, cidr_whitelist: [] }),
});
return res.json();
});
if (tokenResult && tokenResult.token) {
const npmrcPath = join(homedir(), '.npmrc');
writeFileSync(npmrcPath, `//registry.npmjs.org/:_authToken=${tokenResult.token}\
`);
console.log('Token written to .npmrc!');
}
}
// Verify authentication
try {
const whoami = execSync('npm whoami 2>&1').toString().trim();
console.log('npm whoami:', whoami);
} catch (e) {
console.log('npm whoami failed — manual intervention needed');
}
await browser.close();
Key points:
channel: 'chrome'uses the user's installed Chrome (with security key support)headless: false— MUST be visible for WebAuthn/security key prompts- The user only needs to tap their security key — everything else is automated
- After login, create an NPM automation token and write it to
~/.npmrc
4d: Verify authentication
npm whoami
Must return the correct username before proceeding.
Step 5: Publish
npm publish --access public
For scoped packages (@scope/name), --access public is required on first publish.
If publish fails with E403:
- Check if the package version already exists:
npm view \x3Cpackage>@\x3Cversion> - Bump version if needed
- Check scope permissions:
npm access list packages
If publish fails with E404:
- The NPM scope may not exist or user lacks permission
- Verify:
npm org ls \x3Cscope-name>or check on npmjs.com
Step 6: Verify
npm view \x3Cpackage-name> version
Confirm the published version matches.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| E401 Unauthorized | Not logged in | Run Step 4 |
| E403 Forbidden | Version already published or no permission | Bump version or check scope access |
| E404 Not Found | Scope doesn't exist or no publish rights | Create scope on npmjs.com or request access |
| WebAuthn not working in Playwright | Headless mode or wrong browser | Use channel: 'chrome' + headless: false |
| Token expired | NPM tokens have limited lifetime | Re-run Step 4 |
Security Notes
- NEVER hardcode credentials in scripts committed to git
- Use password manager CLI to retrieve credentials at runtime
- The
npm-login.mjsscript should be created as a temp file and deleted after use - Add
npm-login.mjsto.gitignore - Automation tokens should be scoped to publish-only when possible
Usage Guidance
Review before installing. The normal build, test, npm login, npm whoami, npm publish, and npm view steps are coherent, but do not let an agent create or store npm tokens unless you explicitly intend that. Prefer manual npm login or a tightly scoped token, inspect any script before running it, and remove any temporary token from npm and ~/.npmrc after publishing.
Capability Assessment
Purpose & Capability
Publishing to npm reasonably involves authentication, tests, and npm publish, but the documented Playwright flow also creates an npm token and stores it locally, which expands authority beyond a one-time publish.
Instruction Scope
The skill gives detailed credential-entry and token-creation instructions without requiring clear affirmative user approval at the point where credentials are retrieved, browser login is automated, or ~/.npmrc is modified.
Install Mechanism
The artifact contains markdown instructions only, with no executable install hooks or bundled scripts.
Credentials
Use of npm, a browser, Playwright, and optional password-manager CLIs is coherent for npm publishing with 2FA, but using those tools to mint an unrestricted token is broader than needed.
Persistence & Privilege
The sample writes an auth token to ~/.npmrc, creating durable npm registry access and potentially overwriting existing npm configuration, with no cleanup or rollback step.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install npm-publish - After installation, invoke the skill by name or use
/npm-publish - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Add OpenCode, Kiro, Devin, Codex, Cursor, and Windsurf skill compatibility
v1.0.1
Normalize SKILL.md frontmatter for OpenClaw, Hermes, and Claude compatibility
Metadata
Frequently Asked Questions
What is Npm Publish?
Publish an NPM package to the registry, handling authentication via browser-based login with 2FA/security key support. It is an AI Agent Skill for Claude Code / OpenClaw, with 10 downloads so far.
How do I install Npm Publish?
Run "/install npm-publish" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Npm Publish free?
Yes, Npm Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Npm Publish support?
Npm Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Npm Publish?
It is built and maintained by clarezoe (@clarezoe); the current version is v1.0.2.
More Skills