npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

policylayer

v0.1.6

Published

Scan your MCP servers for security risks — live tool discovery + classification + shareable report

Readme

policylayer

Scan your MCP config. See what your AI agent can do. Get a shareable report.

Quick start

npx -y policylayer

That's it. The CLI finds your MCP config, live-scans each server, classifies every tool, and prints a report URL.

What it does

  1. Finds your config -- checks .mcp.json, ~/.claude.json, Claude Desktop, Cursor, VS Code, Windsurf, and Codex configs automatically
  2. Live-scans servers -- spawns each MCP server, performs the JSON-RPC handshake, and discovers every tool with its full schema
  3. Classifies tools -- checks against the PolicyLayer database of 2,500+ classified tools. Unknown tools are classified locally using schema analysis, blast radius detection, and verb matching
  4. Generates a policy YAML -- suggested default rules for every tool, ready to use with Intercept
  5. Prints a report URL -- permanent, shareable, no login required
  6. Contributes back -- live-scanned tool data is contributed to the database so future scans are faster for everyone

Commands

npx -y policylayer

Options:

| Flag | Description | |------|-------------| | -d, --dir <path> | Directory to scan for config files (default: cwd) | | -o, --output <path> | Output path for policy YAML (default: policylayer.yaml) | | --no-live | Skip live scanning, classify from config only | | --no-report | Skip submitting report to PolicyLayer | | --timeout <ms> | Timeout per server in milliseconds (default: 30000) | | --json | Output results as JSON |

Examples

# Auto-detect config and scan
npx -y policylayer

# Scan a specific directory
npx -y policylayer -d ~/projects/my-app

# Skip live scanning (faster, less detailed)
npx -y policylayer --no-live

# Output as JSON for piping
npx -y policylayer --json

# Custom policy output path
npx -y policylayer -o my-policy.yaml

Config detection

The CLI searches these paths and uses all configs found:

| Client | Path | |--------|------| | Claude Code (project) | .mcp.json | | Claude Code (user) | ~/.claude.json | | Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json | | Cursor | .cursor/mcp.json | | VS Code | .vscode/settings.json | | Windsurf | ~/.codeium/windsurf/mcp_config.json | | Codex (project) | .codex/config.toml | | Codex (user) | ~/.codex/config.toml |

Privacy

The CLI never sends your raw config. Before anything leaves your machine:

  • Environment variables are stripped
  • Auth tokens are removed
  • Only server names, package identifiers, and tool schemas are sent
  • Live-scanned tool data (names, descriptions, schemas) is contributed to improve the database

Use --no-report to skip sending anything.

Links