Metadata-Version: 2.4
Name: pkgmd
Version: 0.1.0
Summary: Turn published npm, PyPI, and Go packages into clean Markdown for agent supply-chain review before install.
Author-email: Amram Englander <amrameng@gmail.com>
License-Expression: MIT
Project-URL: Homepage, https://pkgmd.dev
Project-URL: Repository, https://github.com/arsolutioner/pkgmd
Keywords: supply-chain,security,packages,npm,pypi,go,agents,llm
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click>=8.0.0
Provides-Extra: web
Requires-Dist: fastapi==0.115.0; extra == "web"
Requires-Dist: jinja2==3.1.4; extra == "web"
Requires-Dist: python-multipart==0.0.9; extra == "web"
Requires-Dist: uvicorn[standard]==0.30.6; extra == "web"
Provides-Extra: dev
Requires-Dist: httpx; extra == "dev"
Requires-Dist: pytest; extra == "dev"
Dynamic: license-file

<div align="center">

<!-- Logo image will go here -->

# pkgmd

**Turn published npm, PyPI, and Go packages into clean Markdown for agent supply-chain review before install.**

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![PyPI](https://img.shields.io/pypi/v/pkgmd?color=3775A9&logo=pypi&logoColor=white)](https://pypi.org/project/pkgmd)
[![Python](https://img.shields.io/badge/Python-3.9%2B-3776AB?logo=python&logoColor=white)](https://python.org)
[![Claude Code](https://img.shields.io/badge/Claude_Code-Skill-D97706?logo=anthropic&logoColor=white)](https://claude.com/claude-code)
[![LinkedIn](https://img.shields.io/badge/LinkedIn-Amram_Englander-0A66C2?logo=linkedin&logoColor=white)](https://www.linkedin.com/in/amram-englander)

[Installation](#installation) · [Usage](#usage) · [Claude Code Skill](#claude-code-skill) · [Ecosystems](#supported-ecosystems) · [pkgmd.com](https://pkgmd.com)

</div>

---

## What it does

Every package release is a black box until you open it. pkgmd downloads the published artifact, extracts it, and renders the full source tree as a single Markdown file your agent can read, review, and reason about — before the package ever touches your environment.

Recent supply-chain compromises on [Axios](https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/), [LiteLLM](https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/), and [Trivy](https://github.com/aquasecurity/trivy/discussions/10425) showed that even trusted packages can be compromised at the release level. This tool gives your agent the artifact, not just the metadata.

---

## Installation

```bash
pipx install pkgmd
```

Or with pip:

```bash
pip install pkgmd
```

---

## Usage

```bash
pkgmd ingest npm react
pkgmd ingest pypi requests==2.32.3
pkgmd ingest go rsc.io/quote@v1.5.2
pkgmd diff npm react 18.2.0 18.3.0
```

Leave version blank to resolve the latest published release. Output is written to a `.md` file in the current directory, or to stdout with `-o -`.

---

## Claude Code Skill

Install the `package-inspect` skill to have Claude automatically inspect packages before installing them:

```bash
npx @anthropic-ai/claude-code add-skill arsolutioner/pkgmd
```

The skill teaches Claude to run `pkgmd ingest` before any `npm install`, `pip install`, `go get`, or equivalent command, and review the digest for signs of compromise.

---

## Supported Ecosystems

| Ecosystem | Spec format | Example |
|-----------|-------------|---------|
| npm | `name@version` | `react@18.2.0` |
| PyPI | `name==version` | `requests==2.32.3` |
| Go | `module@version` | `rsc.io/quote@v1.5.2` |

---

## License

MIT
