→ Publisher: run `forge publish` from the package repo to claim ownership
—Ed25519 publish signature+0/10
→ Included automatically when the publisher runs `forge publish`
—Domain verification+0/5
→ Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
✓CVE scan · clean+30/30
✓Static analysis · clean+20/20
✓npm provenance (Sigstore)+5/5
Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
StatusCommunity-indexed
PublisherUnverified
SignatureUnsigned
Domain—
Provenance✓ Sigstore-verified · 392a5d4
Dependencies60 resolved · 1 with advisories
Tool surface12 tools · none privileged
Security scan✓ Cleanv0.20.0 · 19d ago
DEPpostcss@8.4.31GHSA-qx2v-qp2m-jg93 (transitive)
EvalsNone
IndexedJun 12, 2026
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.
About
Local-first dashboard for AI CLI token, cost, and session analytics.