MintGarden
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may fetch npm packages and add `mg` and `mintgarden` commands to the user's global CLI path.
The skill asks the user to install npm dependencies and optionally register global CLI commands. This is disclosed and purpose-aligned for a CLI/API client, but it changes the local Node environment.
npm install chmod +x cli.js npm link # Makes 'mg' and 'mintgarden' global
Install only from a trusted copy, review `package.json` and `package-lock.json`, and skip `npm link` unless global CLI commands are needed.
Users have less registry-level assurance about where the code originated.
The registry metadata does not provide an authoritative source or homepage, while the package includes installable code. This is a provenance clarity issue rather than evidence of malicious behavior.
Source: unknown Homepage: none
Verify the package repository and contents before installing, especially if using the manual clone or npm installation path.