$ man package-risk-npm
/package-risk-npm
PRICE / CALL
$0.03
USDC · base mainnet · scheme: exact
METHOD
POST
CLUSTER
prooflayerCATEGORY
ai
STATUS
● live
NAME
package-risk-npm — scores supply-chain risk for an npm package before you install it
SYNOPSIS
POST https://x402.agentutility.ai/package-risk-npm
Content-Type: application/json
X-PAYMENT: <signed-transferWithAuthorization>
{ ... }↳ first call →
402 Payment Required. Sign USDCtransferWithAuthorization, retry with theX-PAYMENT header.DESCRIPTION
Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate.
INPUT — request schema
| property | type | description | req? |
|---|---|---|---|
| package_name | string | npm package name. Supports scoped names (e.g. '@types/node', '@vercel/next'). | required |
| version | string | Optional specific version (e.g. '4.17.21'). Default: latest tagged version. | optional |
OUTPUT — response shape
| field | type | description |
|---|---|---|
| package_name | string | npm package name that was scanned. |
| version | string | Specific package version evaluated, or latest if no version was requested. |
| score | number | Numeric risk score (higher = riskier) aggregated from maintainer, download, install-script, and typosquat signals. |
| risk_level | string | Categorical bucket like low, medium, high, or critical derived from the score. |
| summary | string | LLM-written plain-English risk summary covering the main red flags for this package. |
| signals | object | Raw signal breakdown: maintainer count, weekly downloads, install scripts, dep depth, deprecation, age, typosquat distance. |
| metadata | object | Package metadata from the npm registry: publish date, license, repo URL, homepage, latest version, deprecation status. |
EXAMPLES — two ways to call
EXAMPLE 1 · curl
curl -X POST https://x402.agentutility.ai/package-risk-npm \
-H 'Content-Type: application/json' \
-d '{ }'first response =
402 Payment Required with payment requirements; sign + retry with X-PAYMENT.EXAMPLE 2 · mcp
# Install the MCP package for this endpoint's cluster npx -y @agentutility/mcp-<cluster> # Required: EVM private key with USDC on Base export X402_PRIVATE_KEY=0x... # Then call the package-risk-npm tool from your MCP-aware agent.
MCP server handles payment automatically — your coding agent just calls the tool by name.
METADATA
- tags
- npmsupply-chainsecuritypackagerisk
- env
- VENICE_API_KEY
- methods
- POST
- cluster
- prooflayer
- price
- $0.03 USDC per call
ADJACENT — other endpoints in prooflayer
| endpoint | description | price |
|---|---|---|
| ai-content-detector | Detect AI-generated writing with a calibrated probability score. | $0.03 |
| dep-risk-summary | Scores dependency risk for a whole repo from its manifests and lockfiles. | $0.03 |
| github-repo-health | GitHub repo health score / open-source maintainability checker. | $0.03 |
| prompt-injection-surface | Scans AI app source code for prompt injection risk at LLM call sites. | $0.03 |
| app-store-rejection-explain | Explains App Store and Google Play rejections and turns them into a resubmission plan. | $0.02 |
| db-migration-risk | Audits database migrations for risky SQL before deploy. | $0.02 |
| deploy-config-risk | Audits deploy configuration files for production risks. | $0.02 |
| secrets-exposure-check | Scans project config files for hardcoded secrets before you deploy. | $0.02 |
SEE ALSO