---
name: depscout.vercel.app
description: DepScout evaluates individual software packages from npm, PyPI, or GitHub and returns a risk verdict, numeric risk score, license information, maintainer activity, and dependency count. It is a single-endpoint service designed for per-package safety assessment before installation.
host: depscout.vercel.app
---

# depscout.vercel.app

DepScout is a package risk assessment service targeting agents and automated pipelines that need a quick, structured verdict on whether a specific dependency is safe to install. It supports npm, PyPI, and GitHub ecosystems and returns structured metadata including license type, maintainer count, last release date, and a numeric risk score. It does not perform bulk scanning or vulnerability stream monitoring.

## When to use this host

Use this host when an agent needs to assess the safety of a specific, known package before adding it as a dependency — particularly when a structured verdict and supporting metadata (license, maintainer count, risk score) are required. Do not use it for scanning entire lock files, requirements.txt, or package.json dependency trees in bulk; each call evaluates exactly one package. It is also not suitable for real-time vulnerability feeds or CVE monitoring — for those use cases, consider dedicated vulnerability databases or security advisory APIs. If the agent only has a repository URL and no specific package name, this host may not be the right fit without first resolving the package identity.

## Capabilities

### Package Risk Assessment

Evaluates a single named package from npm, PyPI, or GitHub and returns an install verdict alongside a risk score, license, maintainer activity data, and dependency count.

- **`check-package-risk`** — Checks an npm, PyPI, or GitHub package and returns an install verdict with a risk score, license, maintainer activity, and dependency count.

## Skill reference

### `check-package-risk`

**DepScout Risk Check** — Checks an npm, PyPI, or GitHub package and returns an install verdict with a risk score, license, maintainer activity, and dependency count.

*Use when:* Use when an agent needs to assess whether a software package is safe to install, requiring a verdict, numeric risk score, and supporting metadata such as license, maintainer count, and last release date before proceeding with a dependency install.

*Not for:* Do not use for scanning entire dependency trees or lock files in bulk; this endpoint evaluates one package per call. Not suitable for real-time streaming vulnerability feeds.

**Inputs:**

- `ecosystem` (string, required) — Package registry to query. Accepted values include 'npm', 'pypi', or 'github'.
- `name` (string, required) — Name of the package or repository to check (e.g. the npm package name, PyPI distribution name, or GitHub 'owner/repo' slug).

**Returns:** Returns ok=true with verdict='safe', score=100, license='MIT', version, source URL, maintainer list, installSizeBytes, dependencyCount, and an empty signals array for the react npm package.

**Example:** `{"ecosystem": "npm", "name": "react"}`

---