Trust Status
✓ Listed in Forge index +10/10
— Publisher identity verified +0/25
→ Publisher: run `forge publish` from the package repo to claim ownership
— Ed25519 publish signature +0/10
→ Included automatically when the publisher runs `forge publish`
— Domain verification +0/5
→ Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
✓ Static analysis · clean +20/20
✓ npm provenance (Sigstore) +5/5
Copy AI prompt → Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
Status Community-indexed
Publisher Unverified
Signature Unsigned
Domain —
Provenance ✗ Attestation issue
Dependencies ✓ 60 resolved+ · none vulnerable
Tool surface —
Security scan ⚠ Warnings (0) v1.12.0 · 18d ago
PROV attestation Provenance attestation failed Sigstore verification
Evals None
Indexed Jun 16, 2026
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.