npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@royashbrook/hush

v1.3.0

Published

a secret store for AI agents with one rule: the agent never sees the plaintext. get a secret once into the OS keychain, then inject it into commands forever. no get, cross-platform, MIT.

Downloads

81

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

royashbrookroyashbrook

Keywords

secretssecrets-managementkeychaincredentialsagent-skillaiclisecurity

Readme

A secret store for AI agents, with one hard rule: the agent never sees the plaintext.

Values never reach stdout, so they never land in the tool result, the transcript, or the cloud. A secret only ever moves from the store straight into the consumer. There's no get on purpose, a plain getter is the leak.

The point: you (an agent) are running as the user with their CLIs already authed, so you can already set a server-side secret or call a service , you just can't see the value without it landing in the chat. hush gets it once into the OS keychain, then you inject it into those commands forever. No chat paste, no temp files, no .env to commit by accident.

agents: start here

If you were handed this repo's url, install yourself, then follow the playbook. Get the hush script onto the box and read SKILL.md , that's the whole onboarding (it covers store / mint / inject and how to adopt hush in the repo you're working in). The script is one self-contained bash file; put it wherever your agent loads tools or just on your PATH:

git clone https://github.com/royashbrook/hush
chmod +x hush/hush
# then put hush/hush on your PATH, or move it into your agent's skills/tools dir

Claude Code convenience (auto-loads as a skill): clone straight into the skills dir instead , whole session git clone https://github.com/royashbrook/hush ~/.claude/skills/hush, or one project ./.claude/skills/hush. Other agents: see AGENTS.md.

That's it , the human points you here and says "use the hush skill," and you take it from here. The one thing only a human can do is paste a secret they hold: when you hit that, run hush set <name> and a hidden dialog pops on their screen (you never see the value).

install (humans)

Same clone as above, or just grab the single hush script and put it on your PATH.

Backends: macOS Keychain, Linux libsecret (secret-tool), and Windows DPAPI (via PowerShell) are built in. On other platforms keep the same contract with your OS secret store (see SKILL.md). Cross-OS tested in CI (manual workflow_dispatch, all three runners).

quick start

hush set my-vendor-token                      # paste a value you hold (hidden prompt)
printf '%s' "$TOK" | hush set my-vendor-token # ...or pipe it in (scripts/CI), still off argv
hush mint app-operator-key                    # generate + store a random one
hush run TOKEN=my-vendor-token -- some-cmd    # inject into a command, never printed
hush list                                     # names only, never values

Naming: keep the default hush namespace and prefix names by project (blame-cf-token, lifescored-gemini-key) so one keychain search for hush finds everything. HUSH_NS is only for a genuinely separate store, not per-project. Need to fix an existing name? hush rename <old> <new> moves the value internally (never re-asked, never printed). Full docs + the portable contract: SKILL.md.

not a vault

An agent with shell access can read+write this store, so it's not a lock against a hostile process. It's structure that keeps plaintext out of the transcript and makes "store once, inject everywhere" the easy path. It's also only as durable as the machine it's on (a local keychain) , back the machine up, or sync onward into a real secret manager, and don't make hush the only copy of a secret you can't regenerate. MIT licensed.