npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@permanentlymobile/pm-aid

v1.0.2

Published

PM AID -- AI agent defense scanner. 73 JS-native modules across prompt injection, secret exposure, supply chain, OSINT, vault hardening, and the AI-agent-runtime surface. Self-hosted. Offline-verified license. One-time ownership.

Downloads

388

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

jrogue1jrogue1

Keywords

securityscannerai-agentai-securityprompt-injectionsecret-detectionsupply-chainosintvault-securityself-hostedprivacy

Readme

PM AID

AI agent defense scanner. 73 JS-native modules across prompt injection, secret exposure, supply chain, OSINT, vault hardening, and the AI-agent-runtime surface. Self-hosted. Offline-verified license. One-time ownership.

Install

npm install -g pm-aid

Requires Node 20 or newer. Compiles a native SQLite binding on first install -- expect a few seconds for the build.

Activate

After purchase you receive a license key in the form PMAID.v1.<payload>.<signature>. Bind it to your machine:

pm-aid license activate PMAID.v1.eyJ...

The license binds to the machine fingerprint on first activation. Verification is fully offline -- no network calls, no phone-home.

Confirm:

pm-aid license status

Run a scan

pm-aid scan --profile quick
pm-aid scan --profile half-deep --target /path/to/project
pm-aid scan --modules prompt-injection,secret-exposure

Available profiles:

  • quick -- 15 high-signal modules. ~60-120s. Good for CI hooks.
  • osint-light -- 10 public-API modules. Footprint-only, no auth required.
  • half-deep -- full surface, all 73 modules.

Results go to ~/.pm-aid/reports/ as markdown. Findings persist to ~/.pm-aid/findings.db for regression tracking across scans.

Exit codes

| Code | Meaning | |------|---------| | 0 | Clean -- no findings | | 1 | Findings present, no critical | | 2 | Critical findings, license error, or invocation error |

CLI reference

pm-aid scan --profile <name>          Run a named profile
pm-aid scan --modules m1,m2,...       Run specific modules
pm-aid scan --list                    List all 73 modules
pm-aid scan --list-profiles           List available profiles
pm-aid license activate <KEY>         Bind a license key to this machine
pm-aid license status                 Show activated license info
pm-aid license info                   Show trusted signing keys
pm-aid --version                      Print version
pm-aid --help                         Show help

Options:

--target <path>       Target directory (default: cwd)
--output <dir>        Report output dir (default: ~/.pm-aid/reports/)
--dry-run             Show plan without running
--verbose             Verbose module output
--json                Emit JSON results to stdout
--parallel            Run modules in parallel

Environment:

PM_AID_HOME                    State dir (default: ~/.pm-aid)
PM_AID_OPSEC_MODULES_ENABLED   Allow opt-in OPSEC modules under --modules=all
PM_AID_LICENSE_BYPASS          Set to "true" for dev/test (no license required)

Programmatic use

The scan engine is exported for direct use from Node:

import {
  runScan,
  loadScope,
  type ScanConfig,
  type Finding,
} from 'pm-aid';

const scope = loadScope({ target: '/path/to/project' });
const config: ScanConfig = {
  modules: ['prompt-injection', 'secret-exposure'],
  targets: scope,
  dryRun: false,
  verbose: false,
};

const { results, scanId, reportPath } = await runScan(scope, config);
const allFindings: Finding[] = results.flatMap((r) => r.findings);

The license gate lives in the CLI -- the engine itself does not gate. Embedders are expected to validate the license themselves via validateLicense(key) and activateLicense(db, key) from the same package.

Module surface

PM AID Basic ships 73 JS-native and API-only modules covering:

  • Prompt + agent runtime -- prompt-injection, context-exploit, paladin-bypass, cedar-bypass, voice-pipeline, tool-output-poisoning, tool-param-injection, prompt-injection-scanner, context-minimiser, output-pii-scanner, mcp-transport-integrity, symjack-mcp-config-guard, llm-proxy-posture
  • Secret + credential -- secret-exposure, vault-access, guardrails, breach-watchlist
  • Supply chain -- supply-chain, supply-chain-vigilance, dependency-audit, dependency-confusion, editor-extension-audit, symjack-mcp-config-guard
  • Network + transport -- http-headers, ssl-tls-check, ssrf-scanner, cors-check, weak-crypto-scanner, ssh-version-audit, ssh-cert-principal-probe, traceroute-path, icmp-posture, arp-spoof-detect
  • OSINT -- osint-footprint, osint-quarterly, dns-footprint, google-dork-scanner, metadata-leak-scanner, deepfake-detection, brand-monitor, whois-monitor, wayback-audit, mail-security, securitytrails-api, osint-chain-orchestrator
  • Cloud + auth -- firebase-supabase-audit, client-auth-bypass, payment-flow, cloud-misconfig, ai-malware-detect
  • Endpoint integrity -- browser-version-audit, decision-chain-integrity, patch-verification, linux-privesc-surface, linux-kernel-version-check, pam-integrity-monitor
  • Code-level -- xss-sink-scanner, xxe-scanner, deserialization-vuln-scanner, eval-shell-scanner, business-logic
  • Defensive observation -- pre-scan-attack-surface, defensive-sensor-stack, campaign-progress-monitor, rotation-aware-actor-correlation, email-header-forensics, git-host-integrity, mobile-apk-audit, api-abuse, finding-db
  • OPSEC (opt-in via env) -- persona-hardened-egress, egress-leak-check, self-osint-audit, wifi-pentest, bluetooth-pentest

Binary-tier modules (nmap, nuclei, ffuf, semgrep, volatility, etc.) are NOT part of PM AID Basic. They ship with the upcoming PM AID Pro / Wraith White-Hat tier.

Privacy

PM AID never phones home. No telemetry. No license-server check. The scan engine reads only what you scope it to, persists findings locally to ~/.pm-aid/, and writes markdown reports for you to review or commit.

License

One-time-ownership commercial license. See LICENSE for terms.