Skip to content
clusters: prooflayer · edgemarket · edgefinance · synthforge · mediakit · wordmint · webprobe · locale · comppoint · rollforge · bestiary · statline · matchpoint · retail · agentops · browserworkflow · modelrouter · compose
$ man package-risk-npm

/package-risk-npm

agentutility / prooflayer / package-risk-npm
PRICE / CALL
$0.03
USDC · base mainnet · scheme: exact
METHOD
POST
CLUSTER
prooflayer
CATEGORY
ai
STATUS
live
NAME
package-risk-npm scores supply-chain risk for an npm package before you install it
SYNOPSIS
POST https://x402.agentutility.ai/package-risk-npm
     Content-Type: application/json
     X-PAYMENT:    <signed-transferWithAuthorization>

     { ... }
↳ first call → 402 Payment Required. Sign USDCtransferWithAuthorization, retry with theX-PAYMENT header.
DESCRIPTION

Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate.

INPUTrequest schema
propertytypedescriptionreq?
package_namestringnpm package name. Supports scoped names (e.g. '@types/node', '@vercel/next').required
versionstringOptional specific version (e.g. '4.17.21'). Default: latest tagged version.optional
OUTPUTresponse shape
fieldtypedescription
package_namestringnpm package name that was scanned.
versionstringSpecific package version evaluated, or latest if no version was requested.
scorenumberNumeric risk score (higher = riskier) aggregated from maintainer, download, install-script, and typosquat signals.
risk_levelstringCategorical bucket like low, medium, high, or critical derived from the score.
summarystringLLM-written plain-English risk summary covering the main red flags for this package.
signalsobjectRaw signal breakdown: maintainer count, weekly downloads, install scripts, dep depth, deprecation, age, typosquat distance.
metadataobjectPackage metadata from the npm registry: publish date, license, repo URL, homepage, latest version, deprecation status.
EXAMPLEStwo ways to call
EXAMPLE 1 · curl
curl -X POST https://x402.agentutility.ai/package-risk-npm \
  -H 'Content-Type: application/json' \
  -d '{ }'
first response = 402 Payment Required with payment requirements; sign + retry with X-PAYMENT.
EXAMPLE 2 · mcp
# Install the MCP package for this endpoint's cluster
npx -y @agentutility/mcp-<cluster>

# Required: EVM private key with USDC on Base
export X402_PRIVATE_KEY=0x...

# Then call the package-risk-npm tool from your MCP-aware agent.
MCP server handles payment automatically — your coding agent just calls the tool by name.
METADATA
tags
npmsupply-chainsecuritypackagerisk
env
VENICE_API_KEY
methods
POST
cluster
prooflayer
price
$0.03 USDC per call
ADJACENTother endpoints in prooflayer
endpointdescriptionprice
ai-content-detectorDetect AI-generated writing with a calibrated probability score.$0.03
dep-risk-summaryScores dependency risk for a whole repo from its manifests and lockfiles.$0.03
github-repo-healthGitHub repo health score / open-source maintainability checker.$0.03
prompt-injection-surfaceScans AI app source code for prompt injection risk at LLM call sites.$0.03
app-store-rejection-explainExplains App Store and Google Play rejections and turns them into a resubmission plan.$0.02
db-migration-riskAudits database migrations for risky SQL before deploy.$0.02
deploy-config-riskAudits deploy configuration files for production risks.$0.02
secrets-exposure-checkScans project config files for hardcoded secrets before you deploy.$0.02
SEE ALSO
agentutility · prooflayer · x402 · mcp · llms.txt · registry.json · bazaar.x402.org