Package Json Linter

v1.0.0

Lint and validate package.json files for common mistakes, missing fields, security issues, and best practices. Use when asked to lint, validate, audit, or ch...

⭐ 0· 83·0 current·0 all-time

by@charlie-morrison

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for charlie-morrison/package-json-linter.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Package Json Linter" (charlie-morrison/package-json-linter) from ClawHub.
Skill page: https://clawhub.ai/charlie-morrison/package-json-linter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install package-json-linter

ClawHub CLI

Package manager switcher

npx clawhub@latest install package-json-linter

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description match the included Python linter script and SKILL.md describes invoking that script. No unrelated binaries, env vars, or cloud credentials are requested.

✓

Instruction Scope

Runtime instructions only invoke the bundled Python script to lint package.json files and specify output formats; they do not instruct the agent to read unrelated secrets, system config, or send data to external endpoints. Scanning directories recursively is consistent with the stated purpose.

✓

Install Mechanism

No install spec or external downloads are present. The skill is instruction-only with a bundled pure‑stdlib Python script, so nothing is fetched from third-party URLs during install.

✓

Credentials

The skill requires no environment variables or credentials. The linter only reads package.json files (and related project fields) which is proportional to its purpose.

✓

Persistence & Privilege

The skill is not marked always:true and does not request persistent system privileges or attempt to modify other skill/system configurations.

Assessment

This skill appears coherent and limited to linting package.json files. Before running it, review the bundled script if you have concerns (it's pure Python and uses only stdlib), and prefer running it on a test copy or inside a container if you will scan large or sensitive directories. Note the package has no homepage and an unknown owner; if provenance matters for your environment, ask the publisher for a source repository or documentation before trusting it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk976g3zkv890ze4krqwtk6w61984shnd

83downloads

0stars

1versions

Updated 2w ago

v1.0.0

MIT-0

Package JSON Linter

Lint package.json files for missing fields, dependency issues, security risks, and best practices violations.

Commands

All commands use the bundled Python script at scripts/package_json_linter.py.

1. Lint a package.json file

python3 scripts/package_json_linter.py lint <file-or-directory> [--strict] [--format text|json|markdown]

Runs all lint rules against one or more package.json files. If given a directory, scans for package.json files recursively (excluding node_modules).

Flags:

--strict — exit code 1 on any warning (not just errors)
--format — output format: text (default), json, markdown

2. Audit for security issues

python3 scripts/package_json_linter.py security <file-or-directory> [--format text|json|markdown]

Checks for supply chain risks: postinstall/preinstall/install scripts, and scripts containing curl, wget, eval, or piping to shell.

3. Analyze scripts section

python3 scripts/package_json_linter.py scripts <file-or-directory> [--format text|json|markdown]

Analyzes the scripts section for missing common scripts (test, start, build), placeholder test scripts, dependency issues, and deprecated packages.

4. Validate required fields and structure

python3 scripts/package_json_linter.py validate <file-or-directory> [--strict] [--format text|json|markdown]

Validates required fields (name, version, description), semver format, npm naming rules, dependency issues, and best practice fields.

Lint Rules (22 rules)

Required Fields (5 rules)

Rule	Severity	Description
`missing-name`	error	No `name` field
`missing-version`	error	No `version` field
`invalid-name`	error	Name doesn't match npm naming rules
`invalid-version`	error	Version not valid semver
`missing-description`	warning	No `description` field

Dependencies (6 rules)

Rule	Severity	Description
`wildcard-dependency`	error	Version is `*`, empty, or `latest`
`git-dependency`	warning	Points to git URL (fragile)
`file-dependency`	warning	Uses `file:` protocol
`pinned-dependency`	info	All deps pinned to exact versions
`duplicate-dependency`	warning	Same package in deps and devDeps
`deprecated-package`	warning	Known deprecated package (~20 tracked)

Security (4 rules)

Rule	Severity	Description
`postinstall-script`	warning	Supply chain risk
`preinstall-script`	warning	Supply chain risk
`install-script`	warning	Supply chain risk
`suspicious-script`	warning	Contains curl/wget/eval/pipe-to-shell

Best Practices (7 rules)

Rule	Severity	Description
`missing-license`	warning	No `license` field
`missing-repository`	info	No `repository` field
`missing-engines`	info	No `engines` field
`missing-keywords`	info	No `keywords` field
`missing-main`	info	No `main` or `exports` field
`missing-scripts`	info	No `scripts` section
`non-https-url`	warning	URLs not using HTTPS