JSPM

Security lifecycle orchestrator — dispatches to per-stage security providers (secrets, sbom, release-gate, etc.).

Core engine for detecting fake packages, fake imports, slopsquatting risk, and hallucinated dependencies in AI-generated code.

Claude can sign, but never see. MCP server + CLI that keeps private keys out of the LLM's context window.

SLSA v1.2 provenance mapping for PEAC provenance extension

Provenance verification for prebuilt native addons with GitHub attestations

in-toto v1.0 attestation mapping for PEAC provenance extension

Guard package-manager installs, dependency changes, CI, and agent-run commands before suspicious project code executes.

Security scanner for npm packages - pre and post-install scanning for malicious code, supply chain attacks, and obfuscated code

Security-first CLI for AI-assisted development: safe package installs, dependency scanning, API flow testing, and agent task orchestration.

One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.

Security scanner for MCP server configurations. Finds risky tools, vulnerable packages, and suspicious servers across Claude Desktop, Cursor, VS Code, and more.

npm dependency security scanner and package threat analysis tool

npm supply chain security scanner — detect typosquatting, maintainer changes, and malicious scripts before npm install

Check your npm packages against a curated list of known-compromised versions. Scans package-lock.json, pnpm-lock.yaml, and yarn.lock. Built for the AI-coding era.

OpenAgentLock CLI — a firewall for AI coding agents. Detects local agent harnesses (Claude Code, Codex CLI, Cursor, OpenCode, Cline, Gemini CLI, Continue, Copilot), gates risky tool calls via a Go control plane, anchors decisions in a Rust Merkle ledger.

Nexus Dependency Auditor — OSV CVE scanning, offline cache, supply chain risk analysis, and build-time blocking

Security Trust Report: colors@1.4.0 — 46/100 (C, caution). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Model Context Protocol server that lets AI coding assistants (Claude Code, Cursor, Windsurf) check npm packages against the Sandcheck dataset before suggesting installs.

One command. Safer dependencies.

Bootstrap and safely evolve a shared Claude Code repo structure.

PoC package in npm for data exfil

Gadget bundle signing + verification for the ggui gadget marketplace. Ed25519 author-key path + sigstore/cosign keyless path. Pure-TS @noble crypto for Ed25519 — browser-safe.

Core lookup library for Sandcheck. Loads the curated compromised-package dataset, validates it against the JSON Schema, and resolves package@version queries against it.

Supply-chain security firewall for Node.js — resolves dependencies, scans via OSV.dev and NVD, and enforces configurable vulnerability policies before anything reaches node_modules.

Standalone, zero-dependency CLI for npm supply chain security analysis — vulnerability scanning, OpenSSF Scorecard, install-script detection, publisher history, and more.

⚡ Frisk — Catches leaked credentials and supply-chain threats in ClawHub skills before you install. 9 intel sources, 7 checks, zero phone-home.

VibeCheck Ultimate CLI — Ship with confidence. 65+ commands merged from 4 codebases: kernel infrastructure, ISL verification, Reality Mode, Agent Firewall, MCP Server.

Official TypeScript SDK for GTCX Protocol

Security Trust Report: @sprintsail/cli@0.2.1 — 59/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

A dependency-decision ledger: every dependency is recorded, explained, and reviewable in the PR — for Node.js projects and coding agents.

Find installed binaries and packages tied to supply-chain attacks or AI security incidents.

Cosign signing + SLSA provenance for the package.publish lifecycle stage. Signs the published artifact (keyless via Fulcio OIDC when available, or with input.config.cosignKey for key-based) and emits an intoto+json SLSA provenance document. Registers as a

D1337 CIPHER-OSC V3 — Elite AI Agent Framework. 106+ components. Hooks, subagents, custom commands. Underground mindset, brutal execution, sovereign protocol.

Security Trust Report: event-stream@4.0.1 — 53/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

MCP server exposing Attestd CVE and supply-chain checks for Claude Code and other MCP clients

SafeDep CLI: open source software supply chain security

A proof-of-concept demonstrating how npm packages can execute code during installation

Content-based supply-chain scanner for npm/pnpm/yarn/bun: inspects the bytes you actually installed (lifecycle hooks, obfuscated payloads, worm IOCs) instead of just matching package names against an advisory list.

Security Trust Report: rc@1.2.8 — 56/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Reusable ESLint flat config and git-hook toolkit for Archipelago projects

HS code classifier for AI agents. Classifies products to official 6-digit tariff codes before customs declarations or duty calculations. VERIFIED verdict in one call.

JS/TS supply-chain hardening CLI — scan, secure, and enforce dependency policies

CLI that fails if any package version in (or newly added to) a lockfile is younger than a configurable threshold on the npm registry. Defends against supply-chain attacks via a quarantine window.

Deterministic registry + integrity scanner for Model Context Protocol servers. Make MCP supply-chain boring.

Official Node.js SDK for the Tracing Platform

[THIS IS A TEST] Level-1 dependency used to introduce a transitive sub-dependency for SBOM/visibility validation.

Offline AST-grade npm/pnpm/yarn/bun supply-chain auditor that flags Shai-Hulud-style install-script worms. Real JavaScript AST analysis with taint approximation, IoC corpus matching, sigstore provenance verification, and baseline diffing — designed as def

Scans Node, Python, and AI-agent configs for indicators of compromise from npm and PyPI supply-chain attacks.

Skill vetting & supply chain security for OpenClaw. Scans SKILL.md files for prompt injection, credential theft, RCE, typosquatting, and social engineering.

npm registry proxy firewall — blocks vulnerable packages before they reach node_modules

npm outdated, but only for packages that have had time to age safely

Security Trust Report: faker@6.6.6 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

CLI tool to detect AI hallucinated packages and npm vulnerabilities

Official JavaScript/TypeScript client for the Attestd security risk API

Agent-first OSS repository health scanner based on CHAOSS metrics, The Open Source Way 2.0, and Inclusive Naming Initiative

Protect yourself from npm supply chain attacks. One command sets up minimumReleaseAge cooldowns across npm, pnpm, Yarn, and Bun globally.

Robust, framework-agnostic security middleware and monitoring SDK for distributed retail and supply chain applications

Security Trust Report: jst@0.0.13 — 59/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: flatmap-stream@0.0.1-security — 50/100 (C, standard). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Standalone supply-chain scanner (npm + PyPI) with reachability (VEX-lite) triage, powered by OSV. Part of PatchPilot.

Unified quarantine policy for package managers — block recently-published packages to prevent supply-chain attacks

GitHub security posture audit tools for AI agents — organization, repository, Actions, secrets, supply chain analysis via MCP

Security Trust Report: wepback@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Supply-chain inventory collector for package, extension, and developer-tool metadata on macOS and Linux.

A security scanner that detects npm packages compromised by supply chain attacks, including the TanStack wave 4 attack (May 2026), the Axios attack (March 2026), and Shai-Hulud malware.

Supply Chain Guard CLI - Secure front door for npm: per-session install guard, mandatory preflight, phantom detection, governance checks

One-time install git push protection with 1000+ provider fingerprints and entropy scanning for leaked tokens.

Local-first security and cognitive-risk scanner for MCP tools and agent skills with ToolBOM, attack harness, and policy checks.

A TypeScript CLI and VSCode extension that scans npm dependencies for security and supply-chain risk.

Scan dependencies for supply-chain risk: EOL versions, CVEs, abandonment, typosquatting, license compliance, and maintainer takeover patterns

Intentionally suspicious npm package for evaluating supply-chain security scanners.

Tiny zero-dependency CLI that scans npm, pnpm, yarn, and bun lockfiles for packages compromised in the TanStack May 2026 npm supply-chain incident (mini Shai-Hulud). Uses the official Snyk advisory as the source of truth.

ph — Scan Claude Code / Codex CLI / Gemini CLI plugins for malicious hooks, poisoned SKILL.md, and MCP tool-poisoning *before* you install. Uses your local LLM CLI as the judge — no API key required.

Supply chain policy stamping — detect, patch, and generate CI workflows for org-wide policy adoption

Detect and fix the mini-shai-hulud TanStack supply-chain attack (socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack)

Runtime dependency behavior monitor for Node.js — the strace for npm packages. Detects supply-chain attacks that static analysis misses. Zero dependencies. Zero config. Zero telemetry.

Official SDK for encoding and decoding Metrc RetailID QR labels

Extract compliance evidence from git repositories, package dependencies, and CI/CD pipelines

Pre-commit secret scanner. Blocks API keys, tokens, .env files, and private keys from leaking into git. Ships as a skill for Claude Code, OpenAI Codex CLI, Google Antigravity, and Moonshot Kimi CLI, plus a standalone CLI / git hook.

Agentic CVE remediation platform for Node.js. Correlates threat intelligence, applies policy-governed fixes, and delivers auditable remediation outcomes across CI/CD pipelines, agent workflows, and service portfolios.

Fend off risky dependencies. Sandboxed runtime for package installs and dev scripts.

Security Trust Report: loadash@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

SYNAPSE SBOM scanner for npm projects — generate a CycloneDX SBOM locally and submit it to SYNAPSE Software Component Analysis.

Security Trust Report: nesk-scanner-termux@8.0.6 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Arcis security CLI — scan running apps, audit source, and check dependencies. Native Rust binary distributed via npm.

CLI tool that audits env files, dependencies, and React code quality before your app ships

Supply chain security for AI-generated code - scans packages, Docker images, and IDE extensions (VS Code, Cursor, JetBrains) before install for typosquats, CVEs, sandwich-pattern attacks, and Docker tag overwriting

Security Trust Report: @cairncms/api@1.0.0 — 58/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Cupel — audit local des skills IA (Claude Code, Cursor, Codex). 14 règles de détection : prompt injection, ASCII smuggling, tool poisoning, exfiltration credentials, reverse shells, obfuscation hex. Zero network. Inspiré de la coupelle de l'essayeur d'or,

Security Trust Report: n3xt@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Offline, zero-dependency static capability analyzer for JavaScript — see what a script can do (network, filesystem, exec, secrets) before you run it.

A terminal-first supply chain guard for package manager workflows.

Experimental HOME/env isolation for package-manager install scripts

Easily see the dependency graph of your npm project

Security Trust Report: openclaw@2026.5.18 — 57/100 (C+, standard). 22 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

DeFarm SDK - Git for traceability with multi-role permissions and global item discovery for agriculture supply chain

Stay N versions behind the latest published release of your npm dependencies to avoid supply chain attacks.

Open source npm package security scanner — catch supply chain attacks before they catch you.

Core detection engine for AI-generated code — hallucinated packages, phantom dependencies, stale APIs, security anti-patterns. Structural, embedding, and LLM scanning.

Package Intelligence MCP server for AI agents. Stops hallucinated/malicious package installs across 19 ecosystems (npm, PyPI, Cargo, Go, Maven, NuGet, RubyGems, Composer, Pub, Hex, Swift, CocoaPods, CPAN, Hackage, CRAN, Conda, Homebrew, JSR, Julia). 22 to

14-module security, AI, auth & DX toolkit for Node.js. Zero dependencies.

Security Trust Report: resin-stream-logger@0.1.2 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Production-grade inventory kernel and supply chain engine for MongoDB — locations, moves, quants, reservations, valuation, routing, traceability

MCPS -- MCP Secure. Drop-in secure replacement for the MCP SDK. ECDSA message signing, body integrity, replay protection, tool integrity, and audit trail.

Scan markdown and config files for hallucinated npm package names. Defends against slopsquatting supply chain attacks.

Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases

Scan your project for compromised npm packages

JavaScript/TypeScript SDK for the CowCare MilkSupplyChain contract on Celo

Dependency risk gate for JavaScript projects: OSV advisories, SBOM scans, baselines, install blocking, and supply-chain risk signals.

npm package age validator for supply chain security

Global npm vulnerability and malware verifier with install-time blocking

Scan npm dependencies for supply chain security risks - detect malicious packages before they compromise your project

Detect AI-hallucinated packages, phantom dependencies, and stale APIs in your codebase. Open-source CI/CD quality gate with local Ollama support — zero API cost.

Stop installing npm packages blindly. Pre-install security scanner for npm packages and GitHub repos.

AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.

The dependency bloodhound for AI coding agents. Sniffs out vulnerabilities, license risks, and health issues in your dependencies — free, no API keys.

Dependency install safety gate with OSV-backed advisory checks, approved-spec ledger enforcement, and reorg rollback hooks

n8n community node for TracePass — automate EU Digital Product Passport workflows: products, passports, EPCIS supply-chain events.

Security Trust Report: @scopieflows/pieces-common@0.11.2 — 56/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Dependency Inspector - A security analysis tool for npm packages

Delay npm package installations until they reach a minimum age, protecting against supply chain attacks

Security scanning CLI for React and Next.js — detects CVEs, secrets, license risks, supply chain threats, hydration bugs, RSC boundary violations, and more.

Supply chain attack protection audit tool for pnpm projects

EDIFACT D.20B (2020) Standard Definitions - Latest Standard - 195 Message Types

Post-quantum cryptographic security layer for npm, pip, and cargo package managers

Multi-engine AI agent security scanner — one scan, four engines, one report

Anchor files to Bitcoin from the command line. Generate .proof bundles for offline verification.

Scaffold a full-stack SupplyNet SCMS project in one command

One-shot setup for secure npm package publishing: OIDC trusted publishing, staged publishing, hardened CI/CD.

Security Trust Report: @scopieflows/app-gistly@0.1.3 — 72/100 (B, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: @qihuangai/api@1.0.0-beta.4 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

CLI tool to install BMAD workflow files into any project with integrated Shai-Hulud 2.0 security scanning

CRA compliance automation - SBOM generation, CVE monitoring, and vulnerability reporting for the EU Cyber Resilience Act.

Zero-dependency CLI scanner for npm/PyPI supply chain compromises. Detects compromised packages in lockfiles and system-level IOCs from attacks like Mini Shai-Hulud (CVE-2026-45321).

Open-source MCP server that flags day-zero supply-chain anomalies in npm + PyPI packages before install.

Comprehensive security guards for LLM-powered and agentic AI applications - 34 guards covering OWASP Top 10 for LLMs 2025, Agentic Applications 2026, and MCP Security. All guards accessible via unified TrustGuard facade. Features prompt injection (PAP/per

Static analysis and security scanner for AI agent configuration files

Security scanner that checks npm dependencies for Shai Hulud vulnerable packages. 100% offline, zero data collection, zero telemetry. Scans all dependencies against 689+ known compromised packages.

Local-first CLI that blocks risky npm, pnpm, and bun installs before they run. Open source.

Policy-as-code admission controller for AI agent skills and MCP tools with SkillBOM, lockfiles, and supply-chain baselines.

Security namespace placeholder for satoki. Registered to prevent supply chain attacks.

Supply-chain scanner that audits npm dependencies for typosquats, malicious install scripts, license risk, and known CVEs.

Audit, pin, and upgrade GitHub Actions workflows. LLM-friendly TOON output, safe-by-default.

Security research backdoor package for supply chain attack simulation

Scan your codebase for AI-generated code. Know your copyright risk before it becomes a legal problem.

Security Trust Report: word-wrap@1.2.5 — 65/100 (B, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Scaffold full-stack MERN exam projects - SMS, SRMS, SCMS, EPMS. Select, install, and run in seconds.

Verify Skill Provenance Attestations (SPA) for AI agent skill directories. Drop-in tamper-evidence for any registry, runner, or installer. Zero-deps, Web Crypto, Ed25519/JWS.

Push SBOMs to CRA Ready from your terminal or CI.

Registry proxy that quarantines recently published npm package versions

Manufacturing & Engineering calculation formulas library - 182 industrial calculations across 15 domains for OEE, Cpk, SPC, FMEA, Nelson Rules, metal weight, CNC machining, GD&T, battery, environmental, pipe flow, logistics, IE time study, and more

Stop npm supply-chain attacks before they execute. Zero-dependency security scanner: malicious package detection, lockfile audit, dropper detection, integrity checks, OWASP A03/A05/A08/A10 coverage, CycloneDX SBOM & VEX reports, provenance verification, s

Security Trust Report: @scopieflows/shared@0.54.0 — 54/100 (C, standard). Maintainer risk, supply chain analysis from 8 security databases.

Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.

Dependency health scores and abandonment risk forecasting for npm projects

Scan npm project dependencies and flag copyleft/restrictive licenses (GPL, AGPL, LGPL, SSPL). Zero dependencies — pure Node.js built-ins.

EANCOM 2002 (S3) Standard Definitions - 49 Message Types for Retail & Supply Chain

Dependency Inspector - A security analysis tool for npm packages

Shield your projects from npm supply-chain attacks. Checks packages against a curated registry of malicious, compromised, and typosquatted packages before installation.

Dependency Inspector - A security analysis tool for npm packages

Security Trust Report: coa@2.0.2 — 64/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

pi coding-agent extension that intercepts network operations with approval flows, vulnerability scanning, and supply chain security enforcement.

Security Trust Report: commondir@1.0.1 — 65/100 (B, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: node-ipc@12.0.0 — 68/100 (B, standard). 3 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Local-first security scanner for AI Skills (Anthropic Skill bundles, Niuma, OpenClaw, MCP, GPTs Actions). Catches malicious code, supply-chain attacks, and prompt injection — pure static analysis, sub-2s, zero LLM cost.

MCP server exposing all 9 AgentPost data verticals as AI agent tools

Graph-first dependency risk analysis for npm packages and dependency trees

Verifiable-credential supply chain compliance for npm. Sign attestations, verify dependencies, revoke compromised packages.

MCP client adapter for connecting AI agents to Supplyflow Hospital Supply Chain Management API

Dependency Inspector - A security analysis tool for npm packages

Security gate for npm, yarn and pnpm: verifies lockfile integrity and tarball hashes before installation

Inspect and apply install-time cooldown (min-release-age / exclude-newer) for npm and uv.

Security scanning for the vibe coding era. MCP server + CLI that finds secrets, auth bugs, SQL injection, XSS, IDOR, and vulnerable deps — and opens fix PRs. Works in Cursor, Claude Code, and VS Code. Bring your own model (Anthropic, OpenAI, Gemini, Groq,

A fast implementation of graph data structure

Security scanner for AI agent skills, configs, and MCP tools. Vet before you trust.

Dependency Inspector - A security analysis tool for npm packages

EDIFACT EDI Parser - Format-specific infrastructure for UN/EDIFACT standard

depcheck — dependency scanner. 47-entry offline CVE database (incl. 2024 and supply-chain), unused/missing deps via static import analysis, transitive deps via package-lock.json, Python support (requirements.txt / pyproject.toml). Free forever from vøiddo

Zero-dependency supply chain defense for Node.js/Bun — detects git tag rewrite attacks, postinstall backdoors, SHA drift, tarball tampering and unpinned GitHub Actions

A cross-platform wrapper for Perplexity's Bumblebee supply-chain inventory scanner.

Harmless npm lifecycle package for demonstrating nono ETI command mediation.

Centralized, opt-out-able release toolkit for every Geenius package and boilerplate. One canonical CLI (geenius-release) replaces the per-package supply-chain / license / SBOM / smoke-packed / gauntlet scripts.

Analyzes your full dependency tree — last commit date, open CVEs, bus factor, and risk score per package

Guardrail CLI - Enterprise security scanning with interactive menu, arrow navigation, and auto-installation

Analyze npm dependencies and generate package health, security, and maintainability reports.

Dependency health intelligence CLI — catch risks before they become crises

A fast, configurable CLI tool that scans your dependencies against a continuously-updated database of known compromised npm packages. Supports deep scanning of transitive dependencies via lock files.

Zero-config CLI security gate — blocks risky dependency installs before they reach production

A CLI tool to scan GitHub Enterprise organizations for SBOMs and check for compromised packages

Security Trust Report: @boxes-dev/dvb@1.0.655 — 61/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

npm supply chain attack defense via execution isolation

Scan any GitHub or Bitbucket repo for malware, credential stealers, and crypto scams

Local scanner for installed VS Code and Cursor extensions — catalog matching, static analysis, optional AI deep scan

Reproducible lockfiles, verification, diff, audit, and tests for Agent Skills

The most comprehensive Angular security auditing tool. 150+ rules, 10 scan types (OWASP, API security, performance, accessibility, dependency audit, hacking, complexity, code quality). Auto-fix suggestions, HTML dashboard, SVG badge generation, SARIF expo

SCM CLI - Supply Chain Management CLI tool

AI-powered security scanner with 15 scan phases, 10 specialist agents, container/IaC/DAST/taint analysis, and AI-assisted remediation.

NpmGuard CLI — check npm packages against NpmGuard security audits

Security Trust Report: axios@1.14.0 — 65/100 (B, standard). 8 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Minimal npm registry proxy with package/version whitelisting

Security Trust Report: opencode-ai@1.14.30 — 62/100 (C+, standard). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Predictive dependency security engine. Trust scores, zombie detection, blast radius analysis for your supply chain.

A security-focused npm installer that protects your projects from newly compromised packages

Verdaccio middleware that blocks npm packages published less than N days ago, reducing supply-chain attack risk.

pnpm hook that blocks vulnerable packages before download. Uses GitHub Advisory Database with offline static DB fallback.

A CLI tool for detecting the 'Shai-Hulud' npm supply chain attack that occurred in September 2025

Supply-chain governance plugin for OpenClaw - scan, assess, and quarantine risky skills

Vigiskill — security workbench for AI agent skills and OpenClaw mirror integrity. This is a placeholder package reserving the name for the upcoming production release.

Shai-Hulud Supply Chain Vulnerability Scanner - Detect compromised npm packages from the Shai-Hulud attacks (v1, v2, v3)

Security Trust Report: ua-parser-js@2.0.9 — 65/100 (B, standard). 5 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Scan any GitHub repo for malicious code, secrets, and supply-chain risks before you npm install. 43 checks across 7 layers.

Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.

Real-time malware scanner for npm packages

Detect AI-hallucinated packages before you install them.

Static gate (lockfile + OSV) and isolated Docker npm install with DNS allowlisting

npm audit scanner adapter for AspidaSec (OWASP A06 - Vulnerable Components)

Self-learning demand forecasting and swarm-based inventory optimization with uncertainty quantification

Syft + Grype provider for the build lifecycle stage. Generates a CycloneDX SBOM and scans it for known vulnerabilities. Registers as a security.sbom provider with @vibecontrols/vibe-plugin-security.

Harmless npm lifecycle script simulator for Runseal supply-chain demos

axios & OpenClaw 供应链投毒事件应急审计工具 (2026-03-31)

Enterprise-grade Node.js library for the EU Deforestation Regulation (EUDR) TRACES system. It provides seamless integration for submitting, amending, retrieving, and managing Due Diligence Statements (DDS) with support for both V1 and V2 APIs.

Install script firewall for npm - default-deny lifecycle scripts with explicit, reviewable allowlists

Safe npx wrapper - lock to latest-1 version with 24h cache

Dependency Inspector - A security analysis tool for npm packages

Scan npm dependencies for abandoned packages, outdated versions (libyear), and known CVEs (OSV.dev). Health scores 0-100, SARIF for GitHub Code Scanning, zero dependencies.

Block npm packages that are too new - protect against supply chain attacks

Static checks for agentic workflow injection risks in GitHub Actions.

Static pre-install security scanner for MCP (Model Context Protocol) servers — `npx mcpaudit <path>` flags command injection, credential/env exfiltration into LLM-visible output, over-broad filesystem/tool scope and dynamic eval before you wire a server i

the credit score for context — security scanning for packages, repos, MCP servers, skills, domains and commits

Paranoid by default supply chain protection for developers

Security Trust Report: @recallai/desktop-sdk@2.0.12 — 64/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: @arcadialdev/arcality@2.4.36 — 65/100 (B, standard). Maintainer risk, supply chain analysis from 8 security databases.

Zero-infrastructure npm supply-chain security firewall

Security Trust Report: @scopieflows/apps-framework@0.28.3 — 62/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Surgical npm vulnerability triage. Minimum-bump fixes, prod/dev split, transitive depth, no breaking surprises.

MCP supply chain scanner - detect tool poisoning, prompt injection, and shadowing attacks

Security linter for Claude Code / agent skills. Detects prompt injection, obfuscation, credential exfiltration, and other toxic patterns before you install a skill.

Universal npm supply chain attack scanner. Detects compromised packages from 12+ known attacks.

Security Trust Report: nx@22.7.1 — 61/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: @scopieflows/apps-common@0.12.3 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: xml2js@0.6.2 — 61/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

PatchPilots security and accessibility agents as an MCP server. Security scanning, supply chain analysis, and WCAG 2.1 AA audits inside Claude Code, Cursor, and any MCP-compatible IDE.

Security Trust Report: @7365admin1/core@2.46.0 — 54/100 (C, standard). Maintainer risk, supply chain analysis from 8 security databases.

Audit npm package-lock install hooks with a small explicit allowlist.

Security Trust Report: amit-logger-js@1.0.2 — 57/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

CryptoGuard SDK for Chrome extensions and Node.js servers - SLSA Level 3 binary transparency verification

Guardrail for safe npm dependency updates

X-ray vision for npm packages — security scanner that audits source code, detects obfuscation, and flags supply chain risks before you install

Element of attestation - Runtime code verification and integrity monitoring library for Node.js applications

Package dependency intelligence - work in progress.