← Back to Skills Marketplace
geoffrey-xiao

NPM Package Scanner

by geoffrey-xiao · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
226
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install npm-package-scan
Description
Scan npm packages used in a repository for risk, maintenance health, and upgrade concerns.
Usage Guidance
This is an instruction-only repo-inspection skill that mostly does what it says: reads package manifests and runs package-manager audits. Before using it, ensure the required tools (rg, jq, npm, and currently required bun) are actually available — bun may be unnecessary for many projects but is declared mandatory. Be aware that npm/pnpm/yarn audit commands contact package registries (network activity) and may return noisy results; the skill does not request secrets. Also note the skill references local helper files (references/*.md) that are not included. If you want to use it on a repo that uses pnpm or yarn, either install those tools or update the skill to declare them. If you’re unsure, run the commands manually first to confirm outcomes and network behavior before granting the agent autonomous runs.
Capability Analysis
Type: OpenClaw Skill Name: npm-package-scanner Version: 1.0.0 The NPM Package Scanner skill is a standard utility designed to audit repository dependencies for security and maintenance risks. It uses legitimate tools such as `rg`, `npm audit`, and `bun audit` to inspect manifest files (e.g., package.json) and identify vulnerabilities. The instructions in SKILL.md are transparent, align with the stated purpose, and include explicit constraints against modifying the environment without user permission.
Capability Assessment
Purpose & Capability
The declared purpose (inspect package.json/lockfiles and run audits) aligns with the requested binaries (rg, jq, npm). However bun is listed as a required binary even though many repos will not use Bun; pnpm and yarn are referenced in the instructions but are not declared as required. Requiring bun as mandatory is disproportionate for a generic npm-scanner and could cause unnecessary install failures.
Instruction Scope
Runtime instructions stay within the stated purpose: locate manifests, read package.json/locks, list dependencies, and run package-manager audits. The skill references local files (manifests, locks) and runs audit/list commands but does not instruct the agent to modify dependencies. Note: it references 'references/checklist.md' and 'references/commands.md' which are not present in the skill bundle.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the skill itself. This is low risk from an install perspective.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for secrets and only needs local repo access and standard developer tools.
Persistence & Privilege
always is false and the skill does not request any persistent agent-wide privileges. Autonomous invocation is allowed by default but there are no elevated persistence claims.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install npm-package-scan
  3. After installation, invoke the skill by name or use /npm-package-scan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of NPM Package Scanner. - Scans npm packages in a repository for risk, maintenance issues, and upgrade concerns. - Analyzes package manifests, lockfiles, and workspace configurations. - Identifies risky, stale, or unnecessary dependencies and semver issues. - Runs audit commands for npm, bun, pnpm, and yarn when available. - Provides a structured summary of findings and actionable recommendations.
Metadata
Slug npm-package-scan
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is NPM Package Scanner?

Scan npm packages used in a repository for risk, maintenance health, and upgrade concerns. It is an AI Agent Skill for Claude Code / OpenClaw, with 226 downloads so far.

How do I install NPM Package Scanner?

Run "/install npm-package-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is NPM Package Scanner free?

Yes, NPM Package Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does NPM Package Scanner support?

NPM Package Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created NPM Package Scanner?

It is built and maintained by geoffrey-xiao (@geoffrey-xiao); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments