TypeScript Package Manager
PassAudited by ClawScan on May 12, 2026.
Overview
This looks like a normal TypeScript package-management guide with disclosed command examples, but users should review helper scripts and remote installer commands before running them.
This skill is reasonable to use for TypeScript package-management advice. Before approving any action, check the exact package-manager command, review package.json and lockfile diffs, inspect any .js.txt helper before renaming or running it, and avoid pipe-to-shell installers unless you trust and verify the source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the skill may change package.json, lockfiles, or installed dependencies in a project.
The skill covers commands that can mutate project dependencies and lockfiles, but it also clearly requires explicit user confirmation and diff review.
Treat installs, updates, removals, audits with `--fix`, and lockfile regenerations as mutating actions. Surface the exact command and the expected `package.json` / lockfile diff first, then proceed only after the user confirms.
Review the exact command and expected diff before approving dependency or lockfile changes.
Users rely on the bundled script contents rather than an independently verifiable upstream project.
The skill discloses a provenance gap for bundled helper scripts, which matters if a user chooses to execute them.
The helper scripts in this skill are local to this repository and are not currently published with an upstream source or homepage in the registry metadata. Treat them as untrusted code until you have read them
Inspect any helper script before renaming or running it, and prefer official package-manager documentation or pinned tools when possible.
Running the helper can execute local commands such as tool/version checks in the current environment.
A bundled helper is executable JavaScript if renamed and can shell out to local tools, although the provided instructions say it is not directly executable and must be reviewed first.
import { execSync } from 'child_process'; ... return execSync(cmd, { encoding: 'utf8', stdio: 'pipe' }).trim();Only run helper scripts in a trusted project directory after reading them and confirming the exact commands they execute.
If copied and run, remote installer commands execute code from an external server on the user's machine.
The documentation includes pipe-to-shell installer examples, but it explicitly warns about the risk and recommends verification or pinning.
Any documented one-liner that fetches code from the network (for example `curl -fsSL https://bun.sh/install | bash` or `powershell -c "irm bun.sh/install.ps1 | iex"`) executes whatever the upstream serves at that moment.
Verify installer URLs, prefer official package managers or downloaded installers, and pin versions for sensitive environments.