tarsen
Open source Built for developers & agents

Stop running packages blindly.

Tarsen checks executable npm packages before developers or AI agents run them.

Open Source CLI Local-first
macbook-pro+

$ tarsen check create-random-app

Fetching package metadata...

Analyzed 132 files


Package       create-random-app@2.0.1

Published     2 days ago

Maintainers   unknown


! postinstall script detected

! child_process usage detected

! process.env access detected

! network access detected


Risk         HIGH

Decision     ASK USER BEFORE RUNNING


? Proceed with npx? no

Static analysis

Inspect package code without executing it.

Risk context

See scripts, network, filesystem and env access.

Safe execution

Run only after a clear, explicit decision.

WHY TARSEN

Package commands execute code with your permissions.

Running an unfamiliar package can expose your files, environment variables, network, and shell before you know what the package intends to do. The usual install prompt gives you almost no useful context.

WHAT IT IS

A local safety layer in front of executable npm packages.

Tarsen downloads the tarball into a temporary directory, analyzes it without executing package code, explains the signals, and asks before handing the command to npx. Humans get a readable report; agents get strict JSON.

INSTALL YOUR WAY

One package. Every npm-compatible workflow.

Install tarsen-cli globally and use the shorter tarsen command anywhere. npm, pnpm, Yarn, and Bun all resolve the same package from the public npm Registry.

Install globally

npmnpm install --global tarsen-cli
pnpmpnpm add --global tarsen-cli
yarnyarn global add tarsen-cli
bunbun add --global tarsen-cli

Run once

npxnpx tarsen-cli check react
pnpmpnpm dlx tarsen-cli check react
yarnyarn dlx tarsen-cli check react
bunbunx tarsen-cli check react

Prefer an installer?

The script detects npm, pnpm, Yarn, or Bun already installed on your machine.

curlcurl -fsSL https://raw.githubusercontent.com/pandapor/tarsen/main/install.sh | sh
01
Inspecttarsen check react
02
Automatetarsen check react --json
03
Run with consenttarsen run create-next-app my-app
CHECK BEFORE RUN

Know what a package wants to do.

  • Lifecycle and install scripts
  • Shell and child process execution
  • Filesystem and environment access
  • Network calls and obfuscation
  • Machine-readable JSON for agents
Read the CLI guide
tarsen check+

$ tarsen check create-random-app

Fetching package metadata...

Analyzed 132 files


Package       create-random-app@2.0.1

Published     2 days ago

Maintainers   unknown


! postinstall script detected

! child_process usage detected

! process.env access detected

! network access detected


Risk         HIGH

Decision     ASK USER BEFORE RUNNING

FOR AI AGENTS

A safety checkpoint agents can understand.

Use tarsen check package --json to get structured risk, signals, and a recommendation before any executable package runs.

Agent guide