npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@veris.works/vibecodecheck

v1.0.3

Published

Pre-launch site check for vibe-coded MVPs — SEO, AEO, GEO, AI crawler, security in one scan

Readme

vibecodecheck

Vibe-coded MVPs ship fast. Search engines and AI crawlers still need robots.txt, llms.txt, sitemap, security headers, and correct bot policies.

vibecodecheck scans a public URL for launch blockers across search, AI crawler access, answer-engine files, and safety boundaries.

One command. Structured evidence. Safer agent and launch workflows.


One-line result

vibecodecheck = pre-launch readiness check for search engines + AI crawlers + security

Why this exists

Every MVP goes through the same painful cycle:

Problem                               What breaks
robots.txt missing Sitemap directive  Bing misses your content
HEAD / returns 405                    Bing crawler stops indexing
llms.txt missing                      Claude, ChatGPT cannot cite your content
GPTBot blocked                        ChatGPT never learns your site exists
.env exposed at /.env                 Credentials leak to anyone who looks
security.txt missing                  Security researchers cannot contact you

These are not hard to fix — but they are invisible until something breaks. vibecodecheck catches them before launch.

What it checks

Category               Checks                                            Max Score
─────────────────────────────────────────────────────────────────────────────────
Discoverability        robots.txt, sitemap.xml, RSS/Atom feed               25
AI Crawler Access      13 crawler user agents: ClaudeBot, GPTBot,           25
                       ChatGPT-User, OAI-SearchBot, PerplexityBot,
                       Google-Extended, GrokBot, BraveBot, Amazonbot,
                       Bytespider, cohere-ai, meta-externalagent, Applebot
Answer Engine          llms.txt, llms-full.txt, Schema.org JSON-LD,         20
Content                AEO schema types, og:title, og:description
Technical SEO          HTTPS, HEAD compatibility (Bing), security           15
                       headers, title/description, canonical, viewport,
                       og:image, twitter:card, noindex detection
Safety Boundary        .env, .git/config, /admin, /graphql, OpenAPI/Swagger 15
                       exposure checks, bundle secret scan, security.txt
─────────────────────────────────────────────────────────────────────────────────
Total                                                                       100

Usage

CLI

npx --yes [email protected]/vibecodecheck vibecodecheck https://your-mvp.com
# Save markdown report
npx --yes [email protected]/vibecodecheck vibecodecheck https://your-mvp.com --md

# Save to specific file
npx --yes [email protected]/vibecodecheck vibecodecheck https://your-mvp.com --out=report.md

# JSON output (for CI pipelines)
npx --yes [email protected]/vibecodecheck vibecodecheck https://your-mvp.com --json

# CI gate — exit 1 if score < 70
npx --yes [email protected]/vibecodecheck vibecodecheck https://your-mvp.com --ci --min-score=70

# Generate missing files (robots.txt, llms.txt, security.txt) into ./public
npx --yes [email protected]/vibecodecheck vibecodecheck-fix https://your-mvp.com --out=public

# Dry-run: show what would be written without writing
npx --yes [email protected]/vibecodecheck vibecodecheck-fix https://your-mvp.com --dry-run

Exit code 1 when score < threshold. Default threshold: 40. Use --ci --min-score=N to set a custom gate.

MCP — Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "vibecodecheck": {
      "command": "npx",
      "args": ["--yes", "[email protected]/vibecodecheck", "vibecodecheck-mcp"]
    }
  }
}

Then ask Claude: "Check if my site is ready to launch" — Claude calls check_site(url) and explains each finding.

MCP — Remote / Cloud Agents (codex-hermes, etc.)

npx --yes [email protected]/vibecodecheck vibecodecheck-mcp --port=3000

Connect any MCP-compatible agent to http://localhost:3000. Uses StreamableHTTP transport.

Example output

  VibecodeCheck scanning https://your-mvp.com ...

  VibecodeCheck
  https://your-mvp.com

  Score: 83/100  B — mostly ready

  Discoverability          ██████████ 25/25
  AI Crawler Access        ██████████ 24/25
  Answer Engine Content    ████░░░░░░  8/20
  Technical SEO            ██████████ 15/15
  Safety Boundary          ███████░░░ 11/15

  ❌ Issues (4)
     • No Schema.org JSON-LD found
     • FAQPage schema missing
     • Article schema missing
     • security.txt not found

  ⚠️  Warnings (1)
     • llms-full.txt not found (optional)

Score grades

90–100   A — launch ready
75–89    B — mostly ready
60–74    C — needs work
40–59    D — significant gaps
0–39     F — not ready to launch

Practical scenarios

Before launch — catch the silent blockers

npx --yes [email protected]/vibecodecheck vibecodecheck https://my-mvp.com

Catches missing llms.txt, blocked AI bots, no sitemap, exposed .env paths — before users or search engines notice.

In CI — gate on score

- name: Vibecodecheck
  run: npx --yes [email protected]/vibecodecheck vibecodecheck https://staging.my-mvp.com --json
  # exits 1 if score < 40

With Claude Desktop — get fix instructions

Ask Claude: "Run vibecodecheck on https://my-mvp.com and tell me what to fix first."

Claude runs the audit and returns prioritized fix steps with explanations.

Architecture

vibecodecheck/
├── bin/vibecodecheck.js      ← CLI entry (npx --yes [email protected]/vibecodecheck vibecodecheck)
├── mcp/server.js             ← MCP server: stdio + HTTP (npx --yes [email protected]/vibecodecheck vibecodecheck-mcp)
├── src/
│   ├── audit.js              ← orchestrator (parallel Promise.allSettled)
│   ├── checks/               ← 10 independent check modules
│   │   ├── aiBots.js         ← 13 AI crawlers, UA simulation
│   │   ├── feed.js           ← RSS/Atom feed detection
│   │   ├── headers.js        ← HTTPS, HEAD, security headers
│   │   ├── llms.js           ← llms.txt + llms-full.txt
│   │   ├── robots.js         ← robots.txt + Sitemap directive
│   │   ├── schema.js         ← Schema.org JSON-LD + OG tags
│   │   ├── securityTxt.js    ← /.well-known/security.txt
│   │   ├── sensitivePaths.js ← .env, .git, /admin exposure
│   │   ├── seoMeta.js        ← title, meta description, canonical, viewport
│   │   └── sitemap.js        ← sitemap.xml / sitemap_index.xml
│   ├── reporters/
│   │   └── markdown.js       ← console + markdown output
│   └── utils/
│       └── fetch.js          ← fetchWithTimeout (10s, AbortController)

Security boundary

  • All fetch calls have a 10-second timeout (AbortController)
  • --out= restricted to current directory (no path traversal)
  • Localhost/private IP scans emit a warning
  • No data is sent to any external service — all checks run client-side

Requirements

Node.js 18+

License

MIT — veris · [email protected]