npm-security-best-practices
Enhances npm security by applying best practices for dependency management and supply-chain hardening to prevent attacks.
Install this skill
or
17/100
Security score
The npm-security-best-practices skill was audited on May 26, 2026 and we found 15 security issues across 3 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
medium line 342
Template literal with variable interpolation in command context
SourceSKILL.md
| 342 | ```ini |
medium line 199
Access to hidden dotfiles in home directory
SourceSKILL.md
| 199 | A malicious `postinstall` script with file-system access to your `~/.ssh/`, `~/.aws/`, browser profile, and password manager is game over. Isolating dev environments inside containers limits the blast |
critical line 199
Access to SSH directory
SourceSKILL.md
| 199 | A malicious `postinstall` script with file-system access to your `~/.ssh/`, `~/.aws/`, browser profile, and password manager is game over. Isolating dev environments inside containers limits the blast |
critical line 199
Access to AWS credentials directory
SourceSKILL.md
| 199 | A malicious `postinstall` script with file-system access to your `~/.ssh/`, `~/.aws/`, browser profile, and password manager is game over. Isolating dev environments inside containers limits the blast |
medium line 176
Access to .env file
SourceSKILL.md
| 176 | ## 9. No plaintext secrets in `.env` |
medium line 178
Access to .env file
SourceSKILL.md
| 178 | `.env` files leak via misconfigured backups, accidental commits, IDE auto-sync to cloud, malware reading `process.env`. Use secret references that resolve at runtime through a vault. |
low line 183
Access to .env file
SourceSKILL.md
| 183 | # .env (committable references, NOT plaintext) |
low line 189
Access to .env file
SourceSKILL.md
| 189 | op run --env-file=.env -- node server.js |
medium line 321
Access to .env file
SourceSKILL.md
| 321 | The npm website's package page is a curated, **incomplete** view. The actual installed tarball can contain files not listed in the registry metadata, including build artifacts, `.env.example` referenc |
low line 43
External URL reference
SourceSKILL.md
| 43 | Transitive deps fetched from git URLs or arbitrary tarball URLs bypass registry signing, provenance, and most static analysis. A legitimate package can ship a transitive dep that resolves to `git+http |
low line 51
External URL reference
SourceSKILL.md
| 51 | **yarn / bun:** no first-class flag at time of writing. Audit `yarn.lock` / `bun.lock` for `git+`, `http://`, or off-registry hosts. |
low line 65
External URL reference
SourceSKILL.md
| 65 | **bun:** see Bun's [`install` config](https://bun.sh/docs/runtime/bunfig). |
low line 87
External URL reference
SourceSKILL.md
| 87 | [`sfw`](https://socket.dev/blog/introducing-socket-firewall) intercepts ALL installs and blocks packages flagged by Socket's threat intel (malicious scripts, typosquatting, dependency confusion, suspi |
low line 307
External URL reference
SourceSKILL.md
| 307 | Before adding a dep, search [security.snyk.io](https://security.snyk.io). Look at: |
low line 344
External URL reference
SourceSKILL.md
| 344 | @yourorg:registry=https://npm.yourcompany.com/ |
Scanned on May 26, 2026
View Security DashboardGitHub Stars 5
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawgithub-copilotcodexchatgptcursorwindsurfclineroo-codeampgemini-cliaideropencodetraeantigravitybackenddevopscross-platformbackend-developerdevops-sresecurity-engineerdevelopment
susomejias/rembric