← Back to Skills Marketplace
suhteevah

bundlephobia

by suhteevah · GitHub ↗ · v1.0.1 · MIT-0
darwinlinuxwin32 ⚠ suspicious
83
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install bundlephobia
Description
Bundle size & dependency bloat analyzer — scans JS/TS projects for oversized dependencies, duplicate packages, tree-shaking failures, and bundle configuratio...
README (SKILL.md)

\r \r

BundlePhobia — Bundle Size & Dependency Bloat Analyzer\r

\r BundlePhobia scans your JavaScript and TypeScript projects for oversized dependencies, duplicate packages, tree-shaking failures, barrel file anti-patterns, and bundle configuration issues. It uses 90+ detection patterns covering 5 categories of bundle bloat. 100% local, zero telemetry.\r \r

Commands\r

\r

Free Tier (No license required)\r

\r

bundlephobia scan [file|dir]\r

One-shot bundle bloat scan of your project (5 file limit on free tier).\r \r How to execute:\r

bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" scan [file|dir]\r
```\r
\r
**What it does:**\r
1. Detects project type (npm/yarn/pnpm/monorepo)\r
2. Discovers JS/TS source files, package.json, and bundler configs\r
3. Scans for oversized dependencies, duplicate packages, tree-shaking failures\r
4. Checks bundle configuration (webpack, vite, rollup, esbuild)\r
5. Analyzes dependency hygiene in package.json\r
6. Calculates a 0-100 bloat score with letter grade (A-F)\r
\r
**Example usage scenarios:**\r
- "Scan my project for bundle bloat" -> runs `bundlephobia scan .`\r
- "Check if I have oversized dependencies" -> runs `bundlephobia scan .`\r
- "Find tree-shaking issues in my code" -> runs `bundlephobia scan src/`\r
- "Analyze my package.json for bloat" -> runs `bundlephobia scan package.json`\r
\r
#### `bundlephobia status`\r
Show license info and current configuration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" status\r
```\r
\r
#### `bundlephobia patterns`\r
List all 90+ detection patterns.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" patterns\r
```\r
\r
### Pro Tier ($19/user/month — requires BUNDLEPHOBIA_LICENSE_KEY)\r
\r
#### `bundlephobia hooks install`\r
Install git hooks that scan for bundle bloat on every commit.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Installs lefthook pre-commit hook targeting JS/TS files and package.json\r
3. On every commit: scans staged files for bundle bloat patterns, blocks commit if critical/high issues found\r
\r
#### `bundlephobia hooks uninstall`\r
Remove BundlePhobia git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" hooks uninstall\r
```\r
\r
#### `bundlephobia report [dir]`\r
Generate a detailed markdown bundle health report.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" report [dir]\r
```\r
\r
#### `bundlephobia audit [dir]`\r
Deep dependency audit — analyzes every dependency for size, alternatives, and optimization opportunities.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" audit [dir]\r
```\r
\r
### Team Tier ($39/user/month — requires BUNDLEPHOBIA_LICENSE_KEY with team tier)\r
\r
#### `bundlephobia budget [dir]`\r
Enforce size budgets — fails if bundle exceeds configured thresholds.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" budget [dir]\r
```\r
\r
#### `bundlephobia sarif [dir]`\r
Generate SARIF JSON output for CI/CD integration (GitHub Code Scanning, etc.).\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" sarif [dir]\r
```\r
\r
#### `bundlephobia ci [dir]`\r
CI mode — non-interactive scan with machine-readable output and exit codes.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/bundlephobia.sh" ci [dir]\r
```\r
\r
## Detection Categories (90+ patterns)\r
\r
| Category | Patterns | What It Detects |\r
|----------|----------|-----------------|\r
| Oversized Dependencies | 20 | moment.js, lodash full import, faker in prod, aws-sdk v2, etc. |\r
| Duplicate & Redundant | 18 | axios + node-fetch, moment + dayjs, jest + mocha, etc. |\r
| Tree-Shaking Failures | 20 | import *, require(), barrel re-exports, namespace imports, etc. |\r
| Bundle Configuration | 18 | Missing splitChunks, no code splitting, missing externals, etc. |\r
| Dependency Hygiene | 14+ | Pinned versions, deprecated packages, devDeps in deps, etc. |\r
\r
## Configuration\r
\r
Add to `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
  "skills": {\r
    "entries": {\r
      "bundlephobia": {\r
        "enabled": true,\r
        "apiKey": "YOUR_LICENSE_KEY",\r
        "config": {\r
          "maxBundleSize": "500KB",\r
          "ignoredPackages": [],\r
          "severityThreshold": "high",\r
          "checkTreeShaking": true,\r
          "checkDuplicates": true\r
        }\r
      }\r
    }\r
  }\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately — no configuration needed\r
- **All scanning happens locally** using grep-based pattern matching\r
- **License validation is offline** — no phone-home, no telemetry\r
- Works with npm, yarn, pnpm, and monorepos\r
- Supports webpack, vite, rollup, esbuild, parcel, and next.js configs\r
- POSIX-compatible — runs on macOS, Linux, and Windows (WSL/Git Bash)\r
\r
## When to Use BundlePhobia\r
\r
The user might say things like:\r
- "Scan my project for large dependencies"\r
- "Check my bundle size"\r
- "Find unnecessary packages in my project"\r
- "Are there any tree-shaking issues?"\r
- "Audit my dependencies for bloat"\r
- "Set up bundle size monitoring"\r
- "Check if I have duplicate packages"\r
- "Generate a bundle health report"\r
- "Enforce size budgets in CI"\r
Usage Guidance
This skill appears to do what it claims: local grep-based bundle analysis and optional pre-commit hook installation. Before installing: 1) Confirm you are comfortable with lefthook being installed and lefthook.yml being created/modified in your repository (hooks will run on every commit and can block commits). 2) Provide a BUNDLEPHOBIA_LICENSE_KEY only if you trust the vendor; the license is validated locally. 3) Note the script may optionally use an env var named CLAWHUB_JWT_SECRET to verify JWT signatures (not documented in SKILL.md); if you maintain such a secret, be aware the skill will check it if present. 4) Review scripts yourself (they are small, shell-based, and offline) if you need higher assurance. If you want to avoid repo changes, use the free 'bundlephobia scan' command which runs a one-shot local scan without installing hooks.
Capability Analysis
Type: OpenClaw Skill Name: bundlephobia Version: 1.0.1 The bundle is a legitimate static analysis tool for JavaScript and TypeScript projects designed to identify bundle bloat and dependency issues. It operates entirely locally using standard shell utilities (grep, find, du) to scan source code and configuration files against a comprehensive set of 90+ patterns defined in scripts/patterns.sh. The licensing system (scripts/license.sh) uses offline JWT validation without telemetry or network calls, and the git hook integration (scripts/bundlephobia.sh) is a standard development workflow feature that is clearly documented and user-invoked.
Capability Tags
cryptorequires-sensitive-credentials
Capability Assessment
Purpose & Capability
Name, description, CLI commands, and included scripts all align: the code performs local pattern-based scanning of JS/TS projects, produces reports, and optionally installs pre-commit hooks via lefthook. Declared requirements (git, bash, python3, jq) and primaryEnv (BUNDLEPHOBIA_LICENSE_KEY) match the documented free/pro/team feature split.
Instruction Scope
SKILL.md and scripts instruct the agent to discover files in the project tree, run grep-based pattern checks, and (for Pro) install lefthook-based pre-commit hooks. The scripts read the user's repo files and the OpenClaw config (~/.openclaw/openclaw.json) to find a license key—this is expected behavior for a local scanner and for offline license lookup.
Install Mechanism
Install spec is a single brew formula (lefthook) to support hooks installation. No arbitrary downloads, URL fetches, or extract/install-from-personal-servers are present in the provided files.
Credentials
Primary credential BUNDLEPHOBIA_LICENSE_KEY is appropriate for pro/team features. Minor concerns: license validation optionally looks for an env var named CLAWHUB_JWT_SECRET (used to verify JWT HMAC) which is not declared in metadata—this is likely a shared-secret mechanism but it's not documented. The scripts also attempt to use node as a fallback to parse JSON if available (node is not listed as a required binary), which is harmless but worth noting.
Persistence & Privilege
Skill does not request always:true and does not persist across agents. Installing 'hooks install' writes/edits lefthook.yml in the repository and runs lefthook install to create git hooks — expected for a pre-commit hook feature but it does modify repo-level configuration (and will run on every commit until removed).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bundlephobia
  3. After installation, invoke the skill by name or use /bundlephobia
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fix: declare all deps, JWT signature verification, configPaths
v1.0.0
Initial release of the bundlephobia skill — a local bundle size and dependency bloat analyzer for JS/TS projects. - Scans projects for oversized dependencies, duplicate packages, tree-shaking failures, barrel file patterns, and bundle configuration issues using 90+ detection patterns. - Supports free, pro, and team tiers (different commands and features based on license level). - Includes commands for scanning, license status, detection pattern listing, in-depth audit, report generation, bundle budget enforcement, SARIF output, and CI integration. - Fully local analysis; zero telemetry, offline license validation, supports npm/yarn/pnpm/monorepos and major bundlers. - POSIX-compatible — works on macOS, Linux, and Windows (WSL/Git Bash).
Metadata
Slug bundlephobia
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is bundlephobia?

Bundle size & dependency bloat analyzer — scans JS/TS projects for oversized dependencies, duplicate packages, tree-shaking failures, and bundle configuratio... It is an AI Agent Skill for Claude Code / OpenClaw, with 83 downloads so far.

How do I install bundlephobia?

Run "/install bundlephobia" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is bundlephobia free?

Yes, bundlephobia is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does bundlephobia support?

bundlephobia is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).

Who created bundlephobia?

It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments