New Native MCP · Registry active

Evidence-first npm package checks

Know what runs before it runs.

npx-vibe verifies npm tarballs, inspects install-time behavior, and shows the source evidence behind every decision—before a developer or coding agent executes the package.

npx npx-vibe --check esbuild
0 runtime dependencies 63 automated tests Off AI by default
npx-vibe package preflight read-only
Animated npx-vibe scan of esbuild showing tarball verification, install-hook evidence, optional Gemini review, and a Caution verdict
No package code executed Caution 43/100
Live npm downloads this week
3 native MCP tools
9 cross-platform CI targets
MIT open source

The safety pause

Evidence first. Judgment second.

The fast path is deterministic, local, and key-free. A model can add interpretation when you explicitly request it, but source evidence remains the authority.

  1. 01

    Resolve

    Pin the exact npm version, using the lockfile when a project provides one.

  2. 02

    Verify

    Download without execution and validate npm's published integrity metadata.

  3. 03

    Inspect

    Review lifecycle hooks and selected files for network, shell, secret, and obfuscation signals.

  4. 04

    Decide

    Return Proceed, Caution, or Block with the lines that explain why.

One safety contract

Built for humans. Native for agents.

The same read-only scanner works in a terminal, inside a coding-agent workflow, or as discoverable MCP tools.

01
$

Developer CLI

Inspect one package, guard an npx command, or review every direct project dependency.

npx npx-vibe --check <package>
02
{ }

Agent Skill

Teach compatible coding agents when to continue, request approval, stop, or retry.

--agent <package>

Agent Skill

A package gate agents can understand.

A versioned JSON contract normalizes every result into continue, review, stop, or retry. Caution always returns control to a human.

npx skills add Devrajsinh-Jhala/NPM-Vibe-check --skill npx-vibe -g
Read the Agent Skill
Agent preflightschema v1
Animated coding-agent package preflight returning a structured Caution decision and pausing before execution

Model Context Protocol

Connect once. Discover three focused tools.

scan_package, scan_project, and list_models return structured content without package execution or credentials in tool arguments.

stdio configurationread-only
{
  "mcpServers": {
    "npx-vibe": {
      "command": "npx",
      "args": ["--yes", "npx-vibe@latest", "--mcp"]
    }
  }
}
Active in the official MCP Registry
MCP tool callstructuredContent
Animated MCP client discovering npx-vibe tools and receiving a structured Caution decision

Reports you can audit

No mystery score. Read the evidence.

A typical clean package scan. No API key, model, or package execution is involved.

npx-vibe report source-backed
PProceed

No meaningful deterministic risk signal was found.

CCaution

Reviewable behavior requires human judgment.

BBlock

Critical or high-risk source evidence was detected.

Project preflight

Check the dependency set, not only the next command.

Scan direct registry dependencies from package.json, resolve exact versions from package-lock.json, and emit local, JSON, agent, or GitHub Actions output.

npx npx-vibe --project .
dependency preflightno execution
$ npx npx-vibe --project .

! my-app: Caution   highest risk 43/100

Scanned       12/12 direct dependencies
Proceed       11
Caution       1
Block         0

CAUTION  43/100  esbuild@0.28.1
  lifecycle_hook, network_and_shell

No dependency or package code was executed.

Optional AI review

Interpretation when useful. Determinism by default.

Heuristics always run first. If you opt in, choose local Ollama or an online provider, select a maintained profile or exact model, and see which model produced the result.

OllamaOpenAIAnthropicGemini OpenRouterGroqTogetherCustom
01Selected package filesnot your local project
02Your chosen modellocal or online
03Matched evidenceunsupported claims ignored

Start with the key-free path

Add one deliberate pause before the next package runs.

No account, global install, or AI key is required.

npx npx-vibe --check <package>
Open on npm View the source
Security boundary

npx-vibe is a pre-execution scanner, not a sandbox, antivirus product, or formal audit. Proceed is a useful review signal—never proof that a package is safe.