→ Publisher: run `forge publish` from the package repo to claim ownership
—Ed25519 publish signature+0/10
→ Included automatically when the publisher runs `forge publish`
—Domain verification+0/5
→ Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
—CVE scan · not run+0/30
→ Not yet scanned — package must be on npm
—Static analysis · clean+0/20
→ Not yet scanned — package must be on npm
—npm provenance (Sigstore)+0/5
→ Publish from GitHub Actions with the --provenance flag
Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
StatusCommunity-indexed
PublisherUnverified
SignatureUnsigned
Domain—
Provenance—
DependenciesNot audited
Tool surface—
Security scanScan failedvunknown · 12d ago
EvalsNone
IndexedJun 18, 2026
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.