npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

agentfence

v0.3.0

Published

Developer-first security scanner for AI agents, MCP servers, and tool-connected LLM workflows.

Readme

AgentFence

Developer-first security scanner for AI agents, MCP servers, and tool-connected LLM workflows.

AgentFence helps teams find risky agent permissions before AI tools touch real files, shell commands, APIs, secrets, databases, or cloud resources.

CI License: MIT

Docs site target: https://agentfence.pages.dev

Why

AI coding agents and MCP servers move quickly from experiments to real workflows. They often gain access to local files, shell commands, environment variables, network calls, and internal APIs before anyone reviews the blast radius.

AgentFence starts with a simple local scan:

  • Find MCP and agent config files.
  • Detect broad filesystem access.
  • Detect destructive command patterns.
  • Detect credential-looking keys.
  • Detect broad agent scopes.
  • Generate JSON and HTML reports.

Quick Start

npx agentfence init
npx agentfence scan --path .

Run locally from a cloned repo:

node ./bin/agentfence.js scan --path ./fixtures/vulnerable --out ./agentfence-report.html --json ./agentfence-report.json

CLI

agentfence scan [options]
agentfence init [options]

Options:
  -p, --path <dir>       Workspace to scan. Defaults to current directory.
      --json <file>      Write machine-readable JSON report.
  -o, --out <file>       Write local HTML report.
      --sarif <file>     Write SARIF report for code scanning.
      --policy <file>    Use an AgentFence policy file.
      --fail-on <gate>   Exit with code 2 on score or severity: low, medium, high, critical.
  -f, --force            Overwrite existing policy file when using init.
  -h, --help             Show help.

GitHub Action

name: AgentFence

on:
  pull_request:
  push:
    branches: [main]

jobs:
  agentfence:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: Dev-Atmos/AgentFence@main
        with:
          path: .
          fail-on: high
          sarif: agentfence-report.sarif
          json: agentfence-report.json

GitHub Code Scanning

Upload SARIF to GitHub's Security tab:

name: AgentFence Code Scanning

on:
  pull_request:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - uses: actions/checkout@v4

      - uses: Dev-Atmos/AgentFence@main
        with:
          path: .
          fail-on: critical
          sarif: agentfence-report.sarif

      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: agentfence-report.sarif

Policy File

Create agentfence.yml in the repository root to document narrow exceptions.

Generate a starter file:

npx agentfence init
ignore:
  - ".mcp.json:Broad agent permission scope"

allowedPaths:
  - "./docs"

allowedSecrets:
  - "publicTokenName"

Prefer fixing broad permissions over ignoring findings. Policy files should be reviewed like code.

Project Links

Current Rules

  • Potential secret or credential exposure.
  • Destructive command reachable by agent.
  • Broad filesystem access.
  • Broad agent permission scope.
  • Prompt-injection related text found.
  • Unsafe runtime or network setting.

Product Roadmap

v0.1

  • Local CLI.
  • MCP/agent config discovery.
  • JSON and HTML reports.
  • Risk score.

v0.2

  • GitHub Action.
  • Policy file: agentfence.yml.
  • CI fail thresholds.
  • SARIF output.
  • Ignore/allow policy support.

v0.3

  • Policy init command.
  • Markdown report output.
  • Real MCP client examples.
  • README screenshots.

Later

  • Approved tool registry.
  • VS Code/Cursor extension.
  • Team dashboard.
  • Trend tracking.
  • Pull request comments.

Positioning

AgentFence is not a replacement for a security team. It is a lightweight guardrail for developers, agencies, and small teams adopting AI agents faster than their review process can keep up.