Skill (package-scanner-cli)

Give AI coding agents the ability to scan npm dependencies, search malware history, and inspect package metadata via the PackageScanner API.

Repository (source and docs)
What is a Skill?

A skill is a portable set of instructions and helper scripts that teach an AI coding agent (Claude Code, Cursor, etc.) how to use an external service. The PackageScanner skill lets agents:

  • Upload and analyze package.json or lockfiles for known malware and OSV vulnerabilities
  • Search the malware database by package name and version
  • Fetch npm registry metadata with freshness and license alerts
  • Retrieve previously generated analysis reports by ID
Installation

Install with the skills CLI

Run the following command to install the PackageScanner skill into your project. No global install is required.

npx skills add Kazuki-tam/package-scanner-skill --skill package-scanner-cli

List available skills

You can list the skills in the repository before installing.

npx skills add Kazuki-tam/package-scanner-skill --list

Global install (optional)

Add the -g flag to install globally so every project on this machine has the skill.

npx skills add Kazuki-tam/package-scanner-skill --skill package-scanner-cli -g

Verify installation

After installing, run the health check to confirm the skill is working.

node skills/package-scanner-cli/scripts/package_scanner.js health
Capabilities
The skill exposes the following workflows to AI agents through the PackageScanner public API:

Scan manifest files

Upload package.json and/or lockfiles (npm, pnpm, yarn, bun) to detect malware and known vulnerabilities.

Search malware database

Query by package name and optional version to check for known malicious versions.

Package metadata inspection

Retrieve publish date, license, and risk signals from the npm registry for a given package.

Retrieve analysis reports

Fetch a previously generated scan report by its analysis ID.

Usage examples
Once installed, you can ask your AI coding agent to perform security checks using natural language:
  • "Scan my package.json for malicious packages"
  • "Check if lodash has any known malware versions"
  • "Get the metadata for the express package"
  • "Is eslint-plugin-paysafe safe to use?"

The agent automatically detects when to use the skill based on keywords like package.json, lockfile, npm malware, supply-chain risk, and dependency vulnerabilities.

Security notes
Important security considerations when using the skill:
  • The helper script uses only Node.js standard library modules — no additional dependencies are installed
  • Full scans upload the files you pass to the PackageScanner API.
  • The skill is read-only and cannot modify your project files or system
  • All analysis is performed against the PackageScanner malware database, so results are not 100% comprehensive