npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cc-sc-verify

v1.0.0

Published

Supply chain integrity checker for Claude Code plugins. Verifies installed plugins against their source repos for tampering, version drift, repo deletion, and tool definition changes.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

brianfendingbrianfending

Keywords

claude-codesupply-chainsecurityplugin-integrityverificationai-governance

Readme

cc-sc-verify

Supply chain integrity checker for Claude Code plugins. Verifies installed plugins against their source repos for tampering, version drift, repo deletion, and tool definition changes since install.

Install

npx cc-sc-verify

Also published as sc-verify for shorter invocation:

npx sc-verify

What it does

Reads your installed plugin metadata from ~/.claude/plugins/ and checks each plugin's source repo on GitHub:

  • Repo status -- Is the source repo still active, or has it been archived, deleted, or transferred to a different owner?
  • Version drift -- Does your installed version match the latest commit, or are you behind?
  • Skill diff -- Have skills been added or removed upstream since you installed?
  • Hook diff -- Have hook files been added or removed upstream?
  • Description change -- Has the plugin's description changed (potential scope change)?

Usage

# Check all installed plugins
cc-sc-verify

# Check only plugins from a specific marketplace
cc-sc-verify --marketplace ordovera-plugins

# Check a single plugin
cc-sc-verify --plugin context-setup@ordovera-plugins

# JSON output (for piping to other tools)
cc-sc-verify --json

# With GitHub token for higher rate limits (5,000 vs 60 req/hr)
GITHUB_TOKEN=ghp_xxx cc-sc-verify

Example output

Plugin Supply Chain Verification
================================
Checked: 2026-04-15 17:16:34 UTC
Plugins: 2 checked, 2 with issues

--- ordovera-plugins ---

[BEHIND] context-setup (ordovera-plugins)
  Repo: ordovera/ordovera-plugins
  Installed: 2026-04-02 | Last updated: 2026-04-02
  SHA: 6c97949accf5 -> 308d243e024c (BEHIND)
  Skills added upstream: context-budget
  Plugin description changed since install

[BEHIND] top10-scan (ordovera-plugins)
  Repo: ordovera/ordovera-plugins
  Installed: 2026-04-02 | Last updated: 2026-04-02
  SHA: 6c97949accf5 -> 308d243e024c (BEHIND)

[OK] mcp-audit (ordovera-plugins)
  Repo: ordovera/ordovera-plugins
  Installed: 2026-04-15 | Last updated: 2026-04-15
  SHA: 308d243e024c (CURRENT)

Summary
-------
  Behind upstream: context-setup, top10-scan
  Current: mcp-audit

What this does NOT cover

cc-sc-verify checks the plugin layer -- the integrity of installed Claude Code plugins against their source repos. It does not:

  • Audit plugin permissions or structure (use plugin-audit or claude-plugin-audit)
  • Audit Claude Code settings permissions (use cc-audit)
  • Scan code dependencies for CVEs (use npm audit, pip-audit, or the top10-scan plugin's SCA skill)
  • Scan plugin skill content for malicious patterns (use security-guidance or Trail of Bits supply-chain skills)

The gap cc-sc-verify fills: every existing tool audits either structure/permissions of installed plugins OR code dependencies. Nobody verifies installed plugins against their source repos for tampering, version drift, repo deletion, or tool definition changes since install. That is the source integrity layer.

How it works

  1. Reads ~/.claude/plugins/installed_plugins.json for installed plugin metadata (install path, version SHA, install date)
  2. Reads ~/.claude/plugins/known_marketplaces.json to map marketplace names to GitHub repos
  3. For each plugin, calls the GitHub API to check repo status (exists, archived, transferred)
  4. Fetches the repo tree to compare skills and hooks against the cached install
  5. Compares the installed commit SHA against the latest upstream SHA

Environment

  • GITHUB_TOKEN -- Optional. GitHub personal access token for authenticated API access. Without it, you're limited to 60 requests per hour (enough for a few plugins). With it, 5,000 per hour.

Sibling packages and plugins

License

MIT