← Home

@taptap/data-skills

npm

TapTap data team skill installer (wrapper around vercel-labs/skills with KB + MCP support)

14
Versions
UNLICENSED
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

xdangertaptap-passporticepro-taptapzhoufeng7z7mikoto_zeroxianlihellovasslcxdapollopy-xd

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Spreads process.env to pass to subprocess with DISABLE_TELEMETRY override; standard pattern, not exfiltration. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 is a localhost OAuth redirect URI; not a remote raw-IP connection. ai
semgrep semgrep:dynamic-require AI (semgrep): Loads a local catalog.json path resolved at runtime; not arbitrary remote module loading. ai

Versions (showing 14 of 14)

Version Deps Published
0.1.13 5 / 0
0.1.12 5 / 0
0.1.11 5 / 0
0.1.10 5 / 0
0.1.9 5 / 0
0.1.8 5 / 0
0.1.7 5 / 0
0.1.6 5 / 0
0.1.5 4 / 0
0.1.4 4 / 0
0.1.3 4 / 0
0.1.2 4 / 0
0.1.1 4 / 0
0.1.0 4 / 0

v0.1.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.7

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.6

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.5

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.4

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

3 findings
HIGH env-spread: commands/add.js:154 semgrep

Spreading entire process.env into an object — may capture all secrets 152 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 153 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 154 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 155 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 156 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

3 findings
HIGH env-spread: commands/add.js:124 semgrep

Spreading entire process.env into an object — may capture all secrets 122 | // === Step 1: install shell via vercel-labs/skills (multi-host) === 123 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 124 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 125 | // Pass --agent <host1> <host2> ... explicitly. Without this, upstream's 126 | // empty-agent + --yes path installs to ALL 18+ agents (cli.mjs:2413).

HIGH env-spread: commands/remove.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets 39 | // Step 1: skills CLI remove (delete the shell + host symlinks) 40 | const skillsBin = require.resolve('skills/dist/cli.mjs'); > 41 | const env = { ...process.env, DISABLE_TELEMETRY: '1' }; 42 | const recordedAgents = inst && Array.isArray(inst.agents) && inst.agents.length 43 | ? [...new Set(inst.agents)]

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.