npm-security-auditlisted

# npm Security Audit Skill Output "Read npm Security Audit skill." to chat to acknowledge you read this file. Performs a layered security audit on an npm/pnpm/yarn project to detect supply chain attack vectors, credential theft attempts, persistence mechanisms, and suspicious network behavior — before any code is executed. Works on monorepos (multiple package.json files) and single-package repos. ## When to use - User wants to audit a local cloned repo before running it - Trigger phrases: 'check this repo before I run it', 'is this package safe', 'audit this project', 'scan this before installing', 'should I trust this repo' - Trigger proactively if the user mentions cloning a random GitHub repo and running it - User has only a GitHub URL: ask them to clone it first — this skill operates on files on disk ## Step 0 — Detect repo structure (monorepo vs single package) Always run this first to know what you're dealing with. Do NOT assume `./package.json` exists at the repo root — some repos keep the Node app in a subdirectory. ```bash # Find ALL package.json files, excluding node_modules find . -name "package.json" \ -not -path "*/node_modules/*" \ -not -path "*/.git/*" | sort # Workspaces declared in pnpm-workspace.yaml (pnpm doesn't put them in package.json) if [ -f pnpm-workspace.yaml ]; then echo "Workspaces (pnpm-workspace.yaml):" grep -E '^[[:space:]]*-[[:space:]]' pnpm-workspace.yaml | head -20 fi # Detect package manager and security posture for EACH disc