ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NPM Package Scanner

v1.0.0

Scan npm packages used in a repository for risk, maintenance health, and upgrade concerns.

0· 207·0 current·0 all-time
by@geoffrey-xiao

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for geoffrey-xiao/npm-package-scan.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "NPM Package Scanner" (geoffrey-xiao/npm-package-scan) from ClawHub.
Skill page: https://clawhub.ai/geoffrey-xiao/npm-package-scan
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: rg, jq, bun, npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install npm-package-scan

ClawHub CLI

Package manager switcher

npx clawhub@latest install npm-package-scan
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (inspect package.json/lockfiles and run audits) aligns with the requested binaries (rg, jq, npm). However bun is listed as a required binary even though many repos will not use Bun; pnpm and yarn are referenced in the instructions but are not declared as required. Requiring bun as mandatory is disproportionate for a generic npm-scanner and could cause unnecessary install failures.
Instruction Scope
Runtime instructions stay within the stated purpose: locate manifests, read package.json/locks, list dependencies, and run package-manager audits. The skill references local files (manifests, locks) and runs audit/list commands but does not instruct the agent to modify dependencies. Note: it references 'references/checklist.md' and 'references/commands.md' which are not present in the skill bundle.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the skill itself. This is low risk from an install perspective.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for secrets and only needs local repo access and standard developer tools.
Persistence & Privilege
always is false and the skill does not request any persistent agent-wide privileges. Autonomous invocation is allowed by default but there are no elevated persistence claims.
What to consider before installing
This is an instruction-only repo-inspection skill that mostly does what it says: reads package manifests and runs package-manager audits. Before using it, ensure the required tools (rg, jq, npm, and currently required bun) are actually available — bun may be unnecessary for many projects but is declared mandatory. Be aware that npm/pnpm/yarn audit commands contact package registries (network activity) and may return noisy results; the skill does not request secrets. Also note the skill references local helper files (references/*.md) that are not included. If you want to use it on a repo that uses pnpm or yarn, either install those tools or update the skill to declare them. If you’re unsure, run the commands manually first to confirm outcomes and network behavior before granting the agent autonomous runs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsrg, jq, bun, npm
latestvk9721ahzdq3xrehz2ejbcjma1x834k17
207downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@geoffrey-xiao
latest
Download

NPM Package Scanner

Use this skill when you need to inspect the npm packages used by a repository and identify security, maintenance, and dependency risks.

Goal

Produce a practical package-risk review for the current repository:

  • what dependencies are installed
  • which ones are direct vs transitive
  • which ones look stale, risky, or unnecessary
  • whether there are known audit issues
  • whether version ranges are too loose or outdated

Scope

Focus on:

  • package.json
  • lockfiles such as package-lock.json, bun.lock, pnpm-lock.yaml, or yarn.lock
  • workspace package manifests
  • scripts that introduce package/tooling risk
  • duplicated or overlapping dependencies

Use the reference notes in references/checklist.md and references/commands.md when useful.

Workflow

  1. Find package manifests and lockfiles.
  2. Read the root package.json and any workspace manifests.
  3. List direct dependencies and devDependencies.
  4. Check for:
    • very old package versions
    • abandoned or suspicious packages
    • duplicate packages solving the same problem
    • unnecessary runtime dependencies
    • risky postinstall/build hooks
    • overly broad semver ranges
  5. Run available package-manager audit commands if appropriate.
  6. Summarize findings by severity.
  7. Recommend concrete next steps.

Commands

Prefer fast repo inspection first:

rg --files | rg '(^|/)(package\.json|package-lock\.json|bun\.lock|pnpm-lock\.yaml|yarn\.lock)$'

Inspect manifests:

cat package.json

If using Bun:

bun pm ls
bun audit

If using npm:

npm ls --depth=0
npm audit

If using pnpm:

pnpm ls --depth=0
pnpm audit

If using yarn:

yarn list --depth=0
yarn audit

Output format

Return:

  1. High-risk findings
  2. Medium-risk findings
  3. Low-risk cleanup items
  4. Packages worth upgrading soon
  5. Packages that may be removable
  6. Exact commands to verify or fix

Review rules

  • Prioritize real risk over noise.
  • Distinguish direct dependencies from transitive ones.
  • Do not recommend upgrades blindly; mention likely blast radius.
  • If audit output is noisy, extract only actionable items.
  • If no serious issues are found, say so explicitly.

Constraints

  • Do not modify dependency versions unless explicitly asked.
  • Do not remove packages unless explicitly asked.
  • Do not assume a package is abandoned without evidence from the repo context or audit/tool output.

Comments

Loading comments...