npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@workingmodel/what-is-this-package-actually-doing

v1.0.0

Published

Runs an npm package and tells you what it actually does — network calls, file writes, child processes, env snooping.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

working-modelworking-model

Keywords

npmpackageauditsecurityruntimetracenetworkspywhat-does-this-dosupply-chainclidebug

Readme

@workingmodel/what-is-this-package-actually-doing

Runs an npm package and tells you what it actually does — network calls, file writes, child processes, credential snooping. Developed by Working Model.

npm version npm downloads license

Installing some-package in sandbox…

what-is-this-package-actually-doing
Package: [email protected]
Says what it does: A helpful utility library

Running with tracer…

✖ [Telemetry] Makes outbound calls to known telemetry services on require: ingest.sentry.io
  This package phones home when imported — before you do anything with it.

⚠ [Install Script] some-package runs a script on install (postinstall).
  Install scripts execute arbitrary code during npm install — before you've reviewed anything.

⚠ [Child Process] Spawns 1 child process(es) on require: git rev-parse HEAD
  Spawning processes at require-time is unusual. Check what these commands do.

Summary: 1 error, 2 warnings
This package behaves suspiciously. Review before using.

Install

npx @workingmodel/what-is-this-package-actually-doing <package-name>

Or install globally:

npm install -g @workingmodel/what-is-this-package-actually-doing

Usage

what-is-this-package-actually-doing lodash
what-is-this-package-actually-doing [email protected]

Exits with code 1 if errors are found, 0 if clean.

What It Checks

| Check | What it catches | |-------|----------------| | Telemetry | Outbound calls to Sentry, Segment, Mixpanel, Amplitude, and other known tracking services at require-time | | Network calls | Any outbound HTTP/HTTPS request made just by importing the package | | File writes | Writes to ~/.ssh, ~/.aws, ~/.gnupg, or anywhere outside /tmp at require-time | | Sensitive reads | Reads of SSH keys, AWS credentials, .env files, .npmrc | | Child processes | Shell commands spawned on require — especially rm -rf, curl\|sh, sudo | | Install scripts | preinstall/install/postinstall hooks that run arbitrary code during npm install |

How It Works

The tool installs the package into a temporary sandboxed directory, then runs it through Node.js with a preload script that intercepts calls to http, https, fs, and child_process. It reports everything suspicious that fires on require — before you ever run the package in your own project.

The sandbox is cleaned up automatically after the scan.

Why This Exists

You found a package on npm. It has 2 million weekly downloads. The readme says it's a date formatter. You install it and suddenly your CI is making outbound calls to an analytics service you never signed up for. Or worse.

Most developers never find out what a package actually does at runtime. This tool runs it first and tells you.

More tools from Working Model → workingmodel.co · npm @workingmodel