npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

skillfence

v2.2.0

Published

Context-aware security scanner for AI agent skills, MCP servers, and tool configs. 95+ rules with false-positive reduction. Detects prompt injection, credential leaks, CORS misconfig, SSRF, tool poisoning, and data exfiltration.

Downloads

598

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hash.exehash.exe

Keywords

securitymcpai-agentprompt-injectiontool-poisoningsupply-chainscannerauditclaudeopenaillmvulnerabilityowasp

Readme

🛡️ SkillFence

Security scanner for AI agent skills, MCP servers, and tool configs.

npm License: MIT

Quick Start

npx skillfence scan .              # Scan current directory
npx skillfence scan SKILL.md       # Scan a file
npx skillfence scan --stdin        # Pipe from stdin
npx skillfence rules               # List all 76 rules

What It Detects

76 detection rules across 12 categories, mapped to OWASP MCP Top 10:

| Category | Rules | Examples | |----------|-------|---------| | 🔴 Remote Code Execution | 5 | curl pipe to shell, eval(), child_process | | 🎯 Prompt Injection | 5 | instruction override, role hijacking, hidden prompts | | 🔑 Credential Exposure | 5 | API keys, .env access, hardcoded secrets | | 💀 Destructive Operations | 4 | rm -rf, filesystem wipe, DROP TABLE | | 📤 Data Exfiltration | 6 | DNS tunneling, base64 encoding, file upload | | ⚡ MCP Attacks | 9 | tool poisoning, sampling abuse, forced execution, CORS | | 🧠 AI Safety | 8 | LangChain exploits, pickle RCE, HuggingFace code exec | | 🔐 Authentication | 3 | disabled auth, weak JWT, TLS bypass | | 📊 PII / Data Leak | 3 | password logging, token exposure, training data PII | | 🚫 DoS / Availability | 3 | infinite loops, rate limit bypass, token exhaustion | | 📦 Supply Chain | 6 | typosquatting, lifecycle scripts, unsafe-perm | | 💰 Crypto / Financial | 4 | wallet theft, transaction signing, token approvals | | 🔒 Privilege Escalation | 1 | sudo usage |

Pre-Commit Hook

Block dangerous code before it's committed:

npx skillfence install-hook    # Install git pre-commit hook

Commits with CRITICAL findings are blocked. Use git commit --no-verify to bypass.

GitHub Action

- uses: hhhashexe/skillfence@main
  with:
    path: '.'
    fail-on: 'BLOCK'

Output Formats

npx skillfence scan . --json     # JSON output for CI/CD
npx skillfence scan . --sarif    # SARIF for GitHub Security tab

Exit Codes

| Code | Verdict | Meaning | |------|---------|---------| | 0 | CLEAN | No issues found | | 1 | REVIEW | Low-severity findings | | 2 | WARN | Medium-severity findings | | 3 | BLOCK | Critical issues — must fix |

Install Globally

npm install -g skillfence
skillfence scan /path/to/project

Zero Dependencies

SkillFence has zero npm dependencies. Just Node.js 16+.

API

SkillFence also offers a hosted API for CI/CD integration:

curl -X POST https://your-instance/audit \
  -H "Content-Type: application/json" \
  -d '{"skill_content": "..."}'

License

MIT