When NPM gets messy, let your agent do the boring part

I was planning to post about some upcoming PeakD updates today, but a couple hours ago I saw this post and went down a completely different rabbit hole:

https://x.com/karpathy/status/2038849654423798197

Long story short: there was a nasty package incident around axios, and once I understood the general shape of the problem my first thought was not "great, another security post".

It was: "I really do not want to manually check a bunch of folders for this kind of thing ever again."

That is the part that always gets annoying.

The part where you start jumping between repos, old side projects, random scripts, frontend experiments, half-abandoned bots, and whatever else you have sitting in your workspace, trying to answer one simple question: Is this thing anywhere in my projects or not?

So I made a small skill for it

I added a new skill called npm-scan to my skills repo:

• repository: https://github.com/asgarth/skills
• skill folder: https://github.com/asgarth/skills/tree/main/skills/npm-scan

The idea is very simple.

You point your AI agent at a folder and it scans through all subfolders looking for the package and version you care about.

That means next time something like this happens, I do not need to manually poke around project by project hoping I did not miss one.

I can just run the scan and get a quick answer.

Why I think this is useful for Hive developers

If you build on Hive, security should be a top priority and chances are you do not have just one clean project.

You probably have a mix of:

• frontend apps
• little automation scripts
• bots
• experiments
• old repos you forgot about
• local copies of things you meant to clean up months ago

And that is exactly why this kind of check gets tedious so fast.

The issue is not only whether one single app is affected.
The issue is whether you remember all the places where something might be hiding.

That is where a simple recursive scan becomes handy.

What the skill actually does

Without getting too deep into the weeds, it checks common JavaScript project setups and looks for the package version you want to investigate.

In practice, it helps answer:

• is this package mentioned in the project?
• is it locked into the dependency list?
• is it currently installed?

Support for npm, pnpm and yarn is included.

I think this is one of the nicest use cases for skills in general.

A weird thing happens, you do the manual work once, you realize the manual work is boring and then you package that workflow so next time you do not have to repeat yourself.

Quick install

npx skills add https://github.com/asgarth/skills --skill npm-scan

TL;DR

If you are building on Hive and you have a pile of JavaScript projects around, this is probably worth keeping nearby.

Hopefully you run it and find nothing.

But even in that case, it is still nice to replace an hour of boring folder-by-folder checking with one quick scan. And honestly, that was the whole point.