npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

oathbound

v0.13.1

Published

Install verified Claude Code skills and agents from the Oath Bound registry

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

josh-oathboundjosh-oathbound

Keywords

claudeclaude-codeskillsverificationintegritysecurityai-tools

Readme

oathbound

Install and verify Claude Code skills from the Oath Bound registry.

Skills are downloaded as tarballs from the registry and verified using SHA-256 content hashing. Every session start and every tool invocation can be checked against the registry to detect tampering.

Installation

Requires the Bun runtime.

bun add -g oathbound

Or via npm:

npm install -g oathbound

Usage

Install a skill

oathbound pull <namespace/skill-name>
oathbound install <namespace/skill-name>

Downloads the latest version of a skill from the registry, verifies the tarball hash, and extracts it into your .claude/skills/ directory.

Verify all installed skills (SessionStart hook)

oathbound verify

Reads session context from stdin, hashes every skill directory under .claude/skills/, and compares each hash against the registry. Writes a session state file so subsequent checks are fast. Exits non-zero if any skill fails verification.

Check a skill before tool execution (PreToolUse hook)

oathbound verify --check

Reads tool invocation context from stdin, re-hashes the relevant skill directory, and compares it against the hash recorded at session start. If the skill was modified after verification, the hook denies execution.

Hook integration

oathbound is designed to run as Claude Code hooks. Add it to your .claude/settings.json:

{
  "hooks": {
    "SessionStart": [
      {
        "type": "command",
        "command": "oathbound verify"
      }
    ],
    "PreToolUse": [
      {
        "type": "command",
        "command": "oathbound verify --check"
      }
    ]
  }
}

How it works

  1. Pull: Downloads a skill tarball from Supabase storage, verifies the SHA-256 hash of the tarball against the registry, and extracts the skill into .claude/skills/.

  2. SessionStart verification: Walks each subdirectory in .claude/skills/, collects all files (excluding node_modules, lockfiles, and .DS_Store), sorts them by path, hashes each file with SHA-256, then hashes the combined manifest. The resulting content hash is compared against the registry. Verified hashes are written to a temporary session state file.

  3. PreToolUse verification: Re-hashes the skill directory on disk and compares it against the hash saved at session start. If the content has changed since verification, the tool invocation is denied. This detects mid-session tampering.

The content hash algorithm is deterministic: files are sorted lexicographically by relative path, each file is individually hashed, and the concatenated path\0hash lines are hashed together. The same algorithm runs on both the registry (frontend) and the CLI to guarantee parity.

License

Business Source License 1.1 (BUSL-1.1). The Change Date is 2028-03-04, after which the code is available under Apache 2.0.