npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pi-marketplace

v0.1.2

Published

Pi extension for searching, auditing, and installing pi packages from npm — with security review and optional pi.dev enrichment

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

diwu507diwu507

Keywords

pi-packagepimarketplacesearchauditinstallextension

Readme

🛒 pi-marketplace

npm version license install size

Pi extension for searching, auditing, and installing pi packages from npm — with built-in security review and optional pi.dev enrichment.

Features

| Tool | What it does | |------|-------------| | marketplace_search | Search pi packages by keyword, filter by type (extension/skill/prompt/theme) | | marketplace_detail | Full package info: version, author, license, pi manifest, dependencies, size | | marketplace_audit | Security audit: metadata check + source code keyword scanning | | marketplace_install | Audit → user confirmation → install (never auto-installs) |

Install

pi install npm:pi-marketplace

Reload if pi is already running:

/reload

Usage

Search packages

Ask pi to find packages:

Find me a Pi package for MCP

What theme packages are available?

Search for subagent-related extensions

View details

Show me details of pi-mcp-adapter

Security audit

Audit the package @some-user/some-pkg before installing

Install with review

Install pi-mcp-adapter (will run audit first)

How It Works

  1. Search: Queries npm registry with keywords:pi-package, filters by your query
  2. Type filtering: Fetches each result's pi manifest to determine resource type locally
  3. pi.dev enrichment (optional): Fetches pi.dev package cards to add author, human-readable downloads, relative publish time, and richer type display when available
  4. Security audit:
    • Layer 1 — Metadata (zero cost): Resource types, dependency count, file count, package size, insecure flag
    • Layer 2 — Source scan (downloads tarball): Scans published .ts/.js/.mjs/.cjs files for dangerous patterns:
      • 🔴 Critical: rm -rf, rimraf, fs.unlink, fs.rmdir
      • 🟠 High: eval(), Function(), execSync(), spawn()
      • 🟡 Medium: process.env, child_process, HTTP requests
      • 🟢 Low: chmod, chown
  5. Install: Shows audit report → requires explicit user confirmation → runs pi install

Design Principles

  • Registry-first: Search, detail, type filtering, and audit rely on npm registry metadata for correctness.
  • Optional pi.dev enrichment: Search results can be enriched with pi.dev gallery metadata for better browsing and display.
  • Never auto-installs: Always requires user confirmation after audit.
  • Static scan disclaimer: Clearly states that keyword scanning cannot detect obfuscated code.
  • Zero dependencies: Pure TypeScript, no runtime npm dependencies.

Development

git clone https://github.com/507/pi-marketplace.git
cd pi-marketplace
npm install          # peer deps
pi --no-extensions -e .   # load only this extension for testing

Test

npm test

Type Check

npm run typecheck

Configuration

No configuration needed. All tools accept parameters at call time:

| Parameter | Tool | Description | |-----------|------|-------------| | query | search | Search keyword | | type | search | Filter: extension / skill / prompt / theme | | limit | search | Max results (default 20) | | name | detail / audit / install | Package name | | deepScan | audit / install | Download and scan source (default true) |

License

MIT