Package Version Tracker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears benign: it looks up public npm/PyPI package information and compares versions without credentials, persistence, installs, or data mutation.
This is reasonable to install for public package version lookups. Be aware that queried package names are sent to npm or PyPI, and returned package descriptions or links come from third parties and should not be followed blindly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Package names the user asks about will be sent to the relevant public package registry.
User-supplied package names are sent to public npm/PyPI registry endpoints. This is disclosed and directly aligned with the package lookup purpose.
url = f"https://registry.npmjs.org/{package_name}/latest" ... url = f"https://pypi.org/pypi/{package_name}/json"Use it for package names you are comfortable querying against public registries; no additional permission reduction appears necessary.
A package description could contain misleading text or links; it should not be treated as an instruction to the agent.
The response can include registry-supplied package description or summary text, which is third-party content controlled by package maintainers.
lines.append(f"**Description:** {data.get('description')}") ... lines.append(f"**Summary:** {data.get('summary')}")Treat returned package metadata as untrusted reference information, especially descriptions, summaries, repository links, and homepages.