npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

badgr-security-scan

v0.1.0

Published

Local-first scan for leaked secrets, unsafe defaults, prompt injection, and dangerous agent tools.

Readme

badgr-security-scan

Scan code, configs, and agent prompts for obvious security risks — leaked secrets, unsafe defaults, prompt injection, and dangerous tool permissions.

npx badgr-security-scan --text "$(cat src/config.ts)"

Free. No signup required. Runs entirely on your machine — nothing is sent anywhere.


The problem it solves

AI agents and LLM apps have a new class of security risks: leaked API keys in prompts, exec() calls in agent tools, and prompt injection phrases that hijack agent behavior. Standard linters don't catch these. badgr-security-scan does — in one command, with no setup.


Quick start

# Scan a code snippet
npx badgr-security-scan --text "API_KEY=sk_live_abc123 const client = new OpenAI()"

# Scan a file
npx badgr-security-scan --text "$(cat src/agent.ts)"

# Machine-readable JSON (for CI or pre-commit hooks)
npx badgr-security-scan --text "$(cat src/agent.ts)" --json

# Skip prompt injection checks
npx badgr-security-scan --text "$(cat src/config.ts)" --no-prompt-injection

CLI flags

| Flag | Description | |------|-------------| | --text <str> | Text or code snippet to scan (required) | | --no-prompt-injection | Skip prompt injection pattern checks | | --json | Output machine-readable JSON |

Exit codes: 0 = no blocking risks found, 1 = risks found


What it checks

| Category | What it looks for | Example | |---|---|---| | secret | API keys, tokens, or secrets with 16+ char values | API_KEY=sk_live_abc123456789 | | unsafe-default | Auth bypasses and TLS disabled | rejectUnauthorized: false, disableAuth | | dangerous-tool | Shell execution in agent tool code | exec(), child_process, rm -rf | | prompt-injection | Phrases that hijack agent behavior | "Ignore previous instructions", "exfiltrate" |


Example output

badgr-security-scan

  ✗  secret           API key or token found: API_KEY=sk_live_... (truncated)
  ✗  dangerous-tool   exec() call detected — dangerous in agent tool context
  ✓  unsafe-default   No unsafe auth defaults found
  ✓  prompt-injection No injection phrases found

  2 risks found. Review before deploying.
badgr-security-scan

  ✓  secret           No leaked secrets found
  ✓  unsafe-default   No unsafe auth defaults found
  ✓  dangerous-tool   No dangerous tool patterns found
  ✓  prompt-injection No injection phrases found

  All checks passed.

TypeScript API

import { runSecurityScan } from "badgr-security-scan";

const result = runSecurityScan({
  text: sourceCode,
  includePromptInjectionChecks: true,  // default: true
});

console.log(result.checks);
// [
//   { status: "fail", label: "secret", detail: "API key found: API_KEY=sk_live_..." },
//   { status: "pass", label: "unsafe-default", detail: "No unsafe auth defaults found" },
//   ...
// ]

if (!result.checks.every(c => c.status === "pass")) {
  process.exit(1);
}

Types:

interface SecurityScanOptions {
  text: string;
  includePromptInjectionChecks?: boolean;  // default: true
}

interface SecurityScanResult {
  checks: DiagnosticCheck[];
  report: JsonReport;
}

Use in CI / pre-commit

GitHub Actions:

- name: Security scan
  run: npx badgr-security-scan --text "$(cat src/agent.ts)" --json

Pre-commit hook (.husky/pre-commit):

npx badgr-security-scan --text "$(git diff --cached --unified=0)" --json

Requirements

  • Node.js 18+