npm package CVE lookup, maintainer analysis, and download trend scoring via x402-paid API
What it does
DeFi Shield's `/api/dev/package-risk` endpoint performs security analysis on npm packages. It checks for known CVEs, evaluates maintainer reputation, and analyzes download trends to produce a risk assessment. The endpoint is part of a larger suite of 69 paid API endpoints focused on security intelligence for autonomous AI agents.
Payment is handled via the x402 protocol using USDC on Base. The listed price for this endpoint is $0.10 per call. Agents send a POST request with an x402 payment header containing a USDC payment token; the payment settles only on a successful response. Free endpoint discovery is available via GET on the same path, which returns schema information and an LLM usage prompt.
The endpoint is hosted on Vercel and returned a 402 status on probe, confirming it is live and accepting x402 payment challenges. No OpenAPI schema or detailed documentation page was found (the /docs path returns 404), so exact request/response schemas are inferred from the landing page description and sibling endpoint patterns. The parent platform (DeFi Shield v3.0.0) offers 11 categories of endpoints spanning DeFi intelligence, wallet analysis, MEV detection, NFT analysis, developer security, and more, all priced between $0.01 and $2.50 per call.
Capabilities
Use cases
- —AI agents evaluating npm dependency risk before installing or recommending packages
- —Automated CI/CD pipelines checking package security posture per request
- —Autonomous developer agents scanning project dependencies for known CVEs
- —Security-focused bots monitoring maintainer changes and download anomalies in npm packages
Fit
Best for
- —AI agents needing per-call npm package risk assessment without API key management
- —Autonomous workflows requiring CVE and maintainer reputation data on demand
- —Developers integrating lightweight supply-chain security checks into agent pipelines
Not for
- —Bulk scanning of entire dependency trees (per-call pricing at $0.10 adds up quickly)
- —Non-npm ecosystems (PyPI, Maven, etc.) — endpoint appears npm-specific
- —Users who need free or unlimited vulnerability scanning (consider npm audit or Snyk free tier)
Quick start
# Discover endpoint schema (free)
curl https://defi-shield-hazel.vercel.app/api/dev/package-risk
# Paid request (requires x402 payment header)
curl -X POST https://defi-shield-hazel.vercel.app/api/dev/package-risk \
-H "Content-Type: application/json" \
-H "X-PAYMENT: <x402-payment-token>" \
-d '{"package": "lodash"}'Example
Request
{
"package": "lodash"
}Response
{
"cves": [
{
"id": "CVE-2021-23337",
"severity": "high",
"description": "Prototype pollution in lodash"
}
],
"package": "lodash",
"version": "4.17.21",
"downloads": {
"trend": "stable",
"weekly": 45000000
},
"risk_score": 0.15,
"maintainers": {
"count": 3,
"reputation": "high"
}
}Endpoint
Quality
The endpoint is confirmed live (402 challenge captured) and the landing page provides a clear description and price ($0.10). However, no OpenAPI schema, no detailed docs, and no example request/response bodies are available. The request and response JSON examples are inferred from the endpoint description and common patterns, not from actual documentation.
Warnings
- —No OpenAPI or JSON schema available for this endpoint
- —Documentation page (/docs) returns 404
- —Request and response examples are inferred, not sourced from actual documentation
- —x402 challenge body was empty — no payment parameters (amount, token, network) were captured in the probe
Citations
- —The endpoint performs npm CVE lookup, maintainer analysis, and download trends, priced at $0.10 per callhttps://defi-shield-hazel.vercel.app
- —Payment is via USDC on Base using x402 protocol; 69 endpoints across 11 categorieshttps://defi-shield-hazel.vercel.app
- —Free endpoint discovery is available via GET on each endpoint pathhttps://defi-shield-hazel.vercel.app
- —The endpoint returned HTTP 402 on POST probe, confirming it is livehttps://defi-shield-hazel.vercel.app/api/dev/package-risk