npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

murphysec

v1.0.4

Published

MurphySec SCA Agent skills installer.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

murphysecmurphysec

Keywords

Readme

MurphySec SCA Skills

MurphySec SCA Agent skills installer for Codex, Claude Code, Trae, and generic Agent skill directories.

Install

Interactive install:

npx murphysec-sca-skills install

Interactive install stores the MurphySec server origin in ~/.murphysec-sca/config.env. Later interactive installs reuse that value and ask whether to replace it instead of asking for the server every time.

Install for Codex:

npx murphysec-sca-skills install --host codex --server <server-origin>

Install for Codex from an AI Agent, replacing existing SCA skills:

npx murphysec-sca-skills install --host codex --force --server <server-origin>

Install for all detected Agent hosts:

npx murphysec-sca-skills install --all --server <server-origin>

Install to a custom skills directory:

npx murphysec-sca-skills install --dest <skills-dir> --server <server-origin>

The server can also be supplied by environment variable:

MURPHYSEC_SERVER=<server-origin> npx murphysec-sca-skills install --host codex --force

The legacy no-subcommand form is still accepted:

npx murphysec-sca-skills --host codex --server <server-origin>

Auth

Re-authorize the local MurphySec CLI:

npx murphysec-sca-skills auth login --server <server-origin>

Check authorization status:

npx murphysec-sca-skills auth status --server <server-origin>

For install and auth, the server origin is resolved in this order: --server, MURPHYSEC_SERVER, MURPHYSEC_INSTALL_ORIGIN, ~/.murphysec-sca/config.env, then an interactive prompt when available.

Options

install             Interactive install when no options are provided.
auth login          Re-authorize with device-code login.
auth status         Verify the stored local token.
--host <name>       Target host: codex, claude, agents, trae. Default: codex.
--all               Install to all detected host directories.
--dest <dir>        Install to a custom skills directory.
--server <url>      MurphySec server origin. Required unless MURPHYSEC_SERVER is set.
--verify-token      Run auth status with the stored token, then exit.
--force             Replace existing MurphySec SCA skill directories.
--skip-bootstrap    Copy skills only. Intended for automation or manual bootstrap.
--dry-run           Print actions without changing files.
-h, --help          Show help.

What It Does

  1. Copies sca-component-check, sca-sbom-scan, and sca-shared into the target skills directory.
  2. Writes the configured server origin into sca-shared/references/install-config.env.
  3. Installs or verifies the local MurphySec CLI.
  4. Verifies an existing token with auth status --json --server <server-origin>.
  5. Starts device-code authorization when no valid token is available.
  6. Prints the authorization link and keeps the same command running until the CLI saves the token locally.
  7. Prints usage examples after installation completes.

The token is read from the local token file and passed to the MurphySec CLI through process environment. Do not paste or print the token in chat.

AI Agent Notes

When the installer prints an authorization link, relay that link to the user as a clickable Markdown link and keep the install command running. Do not call open, and do not start another murphysec auth login command.

If the installer reports that the existing token is authorized, do not tell the user to click an authorization link.

After installation, include the install result and the natural-language usage guidance printed by the installer. Do not include internal marker lines such as MURPHYSEC_AUTH_STATUS unless they are needed for debugging.

After Installation

The installer prints usage guidance after installation:

如当前会话尚未识别新安装的 sca-sbom-scan 和 sca-component-check 技能,请重启或新开会话后使用。你可以这样问我:

  • 单组件漏洞检查:lodash 4.17.15 有漏洞吗?
  • 组件版本升级建议:requests 2.31.0 是否建议升级?
  • 整个项目的组件与漏洞检查:进入目标项目目录后,输入 帮我在当前项目做一次 SCA 依赖扫描

During login authorization, the installer also prints:

授权链接:<authorization-url>

Supported Hosts

| Host | Default skills directory | |------|--------------------------| | Codex | ~/.codex/skills | | Claude Code | ~/.claude/skills | | Trae | ~/.trae/skills | | Generic Agent | ~/.agents/skills |