MintGarden
PassAudited by ClawScan on May 1, 2026.
Overview
MintGarden appears to be a read-only browser for the public MintGarden API; the main caution is ordinary npm installation and source-provenance hygiene.
This skill looks reasonable for browsing MintGarden NFT data. Before installing, make sure you trust the source, review the npm package files, and remember that your search terms and NFT/profile IDs will be sent to the MintGarden API.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may fetch npm packages and add `mg` and `mintgarden` commands to the user's global CLI path.
The skill asks the user to install npm dependencies and optionally register global CLI commands. This is disclosed and purpose-aligned for a CLI/API client, but it changes the local Node environment.
npm install chmod +x cli.js npm link # Makes 'mg' and 'mintgarden' global
Install only from a trusted copy, review `package.json` and `package-lock.json`, and skip `npm link` unless global CLI commands are needed.
Users have less registry-level assurance about where the code originated.
The registry metadata does not provide an authoritative source or homepage, while the package includes installable code. This is a provenance clarity issue rather than evidence of malicious behavior.
Source: unknown Homepage: none
Verify the package repository and contents before installing, especially if using the manual clone or npm installation path.