npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

linmas

v0.1.8

Published

Defensive security skill collection for Claude Code and compatible AI coding agents.

Readme


What is Linmas?

Linmas is an open-source defensive security skill collection for Claude Code and compatible AI coding agents.

Linmas is an open-source security assistant inspired by Indonesia’s community protection concept, Perlindungan Masyarakat. It is not affiliated with any government institution.

It provides reusable security-specialist instructions under skills/<skill-name>/SKILL.md, so AI coding agents can help with practical security review, secure architecture, cloud hardening, incident triage, detection engineering, compliance review, and authorized validation work.

Linmas is designed to be:

  • Practical — focused on concrete checks, remediation guidance, and reviewable outputs.
  • Defensive — scoped for authorized security work only.
  • Reusable — packaged as installable skills that can be shared across projects.
  • Beginner-friendly — useful for builders who may not yet know what security controls to ask for.
  • Reviewable — structured so humans can inspect, validate, and reject unsafe or incorrect recommendations.

Why the name “Linmas”?

Linmas stands for Perlindungan Masyarakat, an Indonesian community-protection organization formed at the village or urban-neighborhood level to help maintain public safety, order, and community resilience.

Previously known as Pertahanan Sipil or Hansip, Linmas members often act as a first layer of protection in public activities, disaster response, elections, and local community safety.

This project uses the name Linmas because security should not only be accessible after a team becomes mature enough to hire dedicated security specialists. Many beginner builders and vibe coders ship code before they fully understand authentication risks, authorization flaws, secret exposure, insecure file upload, cloud misconfiguration, logging gaps, dependency risk, or incident response basics.

Linmas is not meant to be the “police”, “military”, or final authority of application security. It is meant to be the first layer of defense closest to everyday builders: a practical guardrail that helps people notice risks earlier, ask better security questions, and improve their code before problems reach production.

Who Linmas is for

Linmas is intended for:

  • solo developers and indie hackers building with AI coding agents;
  • vibe coders who need security guidance without becoming security specialists first;
  • engineering teams that want reusable defensive security prompts and checklists;
  • maintainers who want safer review workflows for open-source projects;
  • teams preparing for secure architecture review, cloud hardening, detection engineering, incident triage, or compliance readiness.

What Linmas includes

The current public package includes:

skills/       Security skill definitions
scripts/      Validation and package helper scripts
README.md     Project documentation
package.json  npm package metadata and commands
LICENSE       Apache-2.0 license text
NOTICE        Attribution guidance
TRADEMARK.md  Name and branding restrictions

Installable skills are first-class entries under:

skills/<skill-name>/SKILL.md

Skill catalog

| Skill | Primary use | Typical output | |---|---|---| | secure-code-reviewer | Secure code review, threat modeling, remediation guidance | Vulnerability findings, impact, fixes, review notes | | smart-contract-reviewer | Authorized Web3, smart contract, and protocol risk review | Contract risk notes, exploitability assessment, safer patterns | | cloud-hardening-architect | Cloud IAM, segmentation, hardening, platform guardrails | Hardening plan, IAM review, control placement | | controls-compliance-reviewer | Control mapping, evidence review, audit readiness | Control gaps, evidence checklist, audit notes | | incident-triage-lead | Incident triage, containment planning, response coordination | Triage plan, containment steps, evidence handling | | exploit-validation-specialist | Authorized exploit-path validation and proof-of-impact review | Bounded validation plan, proof notes, remediation priority | | secure-systems-architect | Trust-boundary analysis and secure system design | Architecture risks, control map, safer design options | | security-domain-router | Selecting the right Linmas specialist for a task | Recommended skill routing and scope clarification | | security-operations-lead | Monitoring workflows, operational hardening, escalation readiness | Runbooks, alert workflow, operational gaps | | detection-rules-engineer | SIEM rules, telemetry mapping, alert tuning | Detection logic, rule tuning, telemetry requirements | | threat-research-analyst | IOC analysis, adversary tracking, defensive intelligence | Threat summary, IOC notes, defensive recommendations |

Installation

Use npx to inspect and install Linmas skills:

npx linmas list
npx linmas detect
npx linmas install secure-code-reviewer --dry-run

Install a specific skill:

npx linmas install secure-code-reviewer

Install all first-class Linmas skills:

npx linmas install --all

Inspect the host and managed-install health:

npx linmas doctor

Remove a Linmas-managed skill:

npx linmas uninstall secure-code-reviewer

CLI command reference

| Command | Purpose | |---|---| | npx linmas list | List available Linmas skills | | npx linmas detect | Detect compatible AI coding-agent hosts | | npx linmas install <skill> | Install one skill to a detected host | | npx linmas install --all | Install all first-class Linmas skills | | npx linmas onboard | Explain what the skills are for and where they are installed | | npx linmas doctor | Inspect host detection and managed-install health | | npx linmas uninstall <skill> | Remove one Linmas-managed skill |

Suggested workflow

1. Detect the host environment
2. Choose the security domain or ask the router skill
3. Install the relevant Linmas skill
4. Ask the AI coding agent for a scoped defensive review
5. Review the output manually
6. Apply fixes in small commits
7. Re-run tests, validation, and security checks

Secure code advisor review

Invoke secure-code-reviewer after an agent produces a sensitive diff, code change, configuration, or response. It reviews supplied material; installing Linmas does not automatically filter every agent response.

Use the Linmas secure-code-reviewer skill in advisor review mode.
Review the supplied diff for authentication, authorization, input validation,
secret exposure, insecure file handling, logging gaps, and dependency risks.
For each item, return Status, Severity, Evidence, Affected surface,
Preconditions, Remediation, and Verification. Mark missing context as
Needs validation. Stay within authorized defensive review scope.

Run the relevant project checks after review, such as tests, secret scanning, and npm run validate. The advisor complements these deterministic checks; it does not prove that a change is secure. Human review is required before shipping.

Security advisor skills

All ten specialist skills support advisor review mode for supplied diffs, code, configuration, evidence, or operational proposals, and design review mode for defensive plans before implementation. Choose the specialist that fits the task:

  • secure-code-reviewer — application code and secure SDLC;
  • secure-systems-architect — cross-system trust boundaries and security design;
  • cloud-hardening-architect — cloud IAM, network exposure, and platform controls;
  • incident-triage-lead — incident classification, containment, and recovery;
  • security-operations-lead — monitoring, alert ownership, and response readiness;
  • detection-rules-engineer — telemetry and detection logic;
  • threat-research-analyst — adversary research and indicators;
  • controls-compliance-reviewer — control evidence and compliance review;
  • smart-contract-reviewer — blockchain and smart-contract security; and
  • exploit-validation-specialist — authorized, bounded exploit-path validation.

Use security-domain-router to choose a specialist when the domain is unclear or the task spans more than one area. The router selects the next workflow; it does not replace specialist assessment.

Specialist responses distinguish Confirmed finding, Needs validation, and Recommendation. Each finding includes severity, evidence, affected surface, preconditions, remediation, verification, and relevant deterministic checks. Advisors review only supplied material in authorized scope, never approve a change, and do not automatically filter every agent response. Human review is required before shipping.

Optional repository policy

Maintainers may copy this guidance into repository instructions when their host supports repository-local policy:

For defensive security changes, after generating the proposed diff, response, or
plan, invoke the relevant Linmas specialist in advisor review mode or design review
mode. Use security-domain-router when the appropriate specialist is unclear. Address
or explicitly track Confirmed findings, investigate Needs validation items, then run
applicable tests and validation commands. This policy is optional, does not replace
human review or deterministic checks, and does not automatically filter every agent response.

Intended use

Linmas is intended for defensive, authorized, and legitimate security work, including:

  • application security review;
  • secure architecture review;
  • cloud security review;
  • incident response support;
  • detection engineering;
  • compliance review;
  • threat intelligence analysis;
  • authorized penetration testing planning and reporting.

Safety boundary

Do not use Linmas for unauthorized access, credential theft, destructive attacks, stealth, persistence, evasion, or harm.

Linmas skills should be used to improve systems you own, maintain, are explicitly authorized to assess, or are helping defend. For dual-use areas such as exploit validation, incident response, Web3 review, and threat intelligence, keep the work bounded, documented, and defensive.

Validation

Run the package validation before publishing or opening a release pull request:

npm run validate
npm run pack:dry-run

Recommended release sanity checks:

npm run validate
git diff --check
npm pack --dry-run

Published-package smoke tests must run from a neutral temporary directory, not from inside the Linmas source checkout. Running npx linmas@<version> inside the package checkout can produce false negatives due npm/npx same-package resolution behavior.

Use:

npm view linmas version
node scripts/smoke-published-package.mjs 0.1.6

Design principles

  • Defense first — every skill should improve legitimate security outcomes.
  • Human review required — AI output is guidance, not automatic approval.
  • Small, inspectable changes — prefer narrow findings and concrete remediation over broad claims.
  • Clear safety boundaries — reject harmful or unauthorized use cases.
  • Operational usefulness — recommendations should map to code, configuration, logs, controls, or runbooks.
  • Public-good orientation — make baseline security guidance more accessible to everyday builders.

Roadmap

Planned directions:

  • improve installer compatibility across AI coding-agent hosts;
  • expand host detection and doctor checks;
  • add more examples for real-world secure review workflows;
  • improve documentation for beginner security users;
  • maintain stronger validation for skill structure, package contents, and safety boundaries.

Contributing

Contributions are welcome when they improve defensive security quality, clarity, safety, or usability.

See CONTRIBUTING.md for the full contributing guide.

Before contributing:

  1. Keep skill behavior defensive and authorization-bounded.
  2. Keep instructions concrete and reviewable.
  3. Avoid vague security claims that cannot be tested.
  4. Run validation before submitting changes.
  5. Preserve licensing, attribution, and trademark boundaries.

Licensing and attribution

Linmas is licensed under the Apache License 2.0.

See:

Apache-2.0 allows commercial and noncommercial use, redistribution, and modification. Linmas branding is not part of the software license. If you redistribute or adapt Linmas, keep attribution intact and use distinct branding for derivative projects.