github/sandbox-npm-install
skills/sandbox-npm-install/SKILL.md
Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back.
$ install --global
skillsauthnpx skillsauth add github/awesome-copilot sandbox-npm-installInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
70%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 2:18 PM212.1s1 file scanned
SKILL.md
- name:
- sandbox-npm-install
- description:
- Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back.
Sandbox npm Install
When to Use This Skill
Use this skill whenever:
- You need to install npm packages for the first time in a new sandbox session
package.jsonorpackage-lock.jsonhas changed and you need to reinstall- You encounter native binary crashes with errors like
SIGILL,SIGSEGV,mmap, orunaligned sysNoHugePageOS - The
node_modulesdirectory is missing or corrupted
Prerequisites
- A Docker sandbox environment with a virtiofs-mounted workspace
- Node.js and npm available in the container
- A
package.jsonfile in the target workspace
Background
Docker sandbox workspaces are typically mounted via virtiofs (file sync between the host and Linux VM). Native Go and Rust binaries (esbuild, lightningcss, rollup, etc.) crash with mmap alignment failures when executed from virtiofs on aarch64. The fix is to install on the container's local ext4 filesystem and symlink back into the workspace.
Step-by-Step Installation
Run the bundled install script from the workspace root:
bash scripts/install.sh
Common Options
| Option | Description |
|---|---|
| --workspace <path> | Path to directory containing package.json (auto-detected if omitted) |
| --playwright | Also install Playwright Chromium browser for E2E testing |
What the Script Does
- Copies
package.json,package-lock.json, and.npmrc(if present) to a local ext4 directory - Runs
npm ci(ornpm installif no lockfile) on the local filesystem - Symlinks
node_modulesback into the workspace - Verifies known native binaries (esbuild, rollup, lightningcss, vite) if present
- Optionally installs Playwright browsers and system dependencies (uses
sudowhen available)
If verification fails, run the script again — crashes can be intermittent during initial setup.
Post-Install Verification
After the script completes, verify your toolchain works. For example:
npm test # Run project tests
npm run build # Build the project
npm run dev # Start dev server
Important Notes
- The local install directory (e.g.,
/home/agent/project-deps) is container-local and is NOT synced back to the host - The
node_modulessymlink appears as a broken link on the host — this is harmless sincenode_modulesis typically gitignored - Running
npm ciornpm installon the host naturally replaces the symlink with a real directory - After any
package.jsonorpackage-lock.jsonchange, re-run the install script - Do NOT run
npm ciornpm installdirectly in the mounted workspace — native binaries will crash
Troubleshooting
| Problem | Solution |
|---|---|
| SIGILL or SIGSEGV when running dev server | Re-run the install script; ensure you're not running npm install directly in the workspace |
| node_modules not found after install | Check that the symlink exists: ls -la node_modules |
| Permission errors during install | Ensure the local deps directory is writable by the current user |
| Verification fails intermittently | Run the script again — native binary crashes can be non-deterministic on first load |
Vite Compatibility
If your project uses Vite, you may need to allow the symlinked path in server.fs.allow. Add the symlink target's parent directory (e.g., /home/agent/project-deps/) to your Vite config so that Vite can serve files through the symlink.
Related Skills
github/python-pypi-package-builder
tools
VerifiedTrustedOfficial
End-to-end skill for building, testing, linting, versioning, and publishing a production-grade Python library to PyPI. Covers all four build backends (setuptools+setuptools_scm, hatchling, flit, poetry), PEP 440 versioning, semantic versioning, dynamic git-tag versioning, OOP/SOLID design, type hints (PEP 484/526/544/561), Trusted Publishing (OIDC), and the full PyPA packaging flow. Use for: creating Python packages, pip-installable SDKs, CLI tools, framework plugins, pyproject.toml setup, py.typed, setuptools_scm, semver, mypy, pre-commit, GitHub Actions CI/CD, or PyPI publishing.
29,271SKILL.mdUpdated Apr 11, 2026
github/mcp-security-audit
tools
VerifiedTrustedOfficial
Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when: - Reviewing .mcp.json files for security risks - Checking MCP server args for hardcoded secrets or shell injection patterns - Validating that MCP servers use pinned versions (not @latest) - Detecting unpinned dependencies in MCP server configurations - Auditing which MCP servers a project registers and whether they're on an approved list - Checking for environment variable usage vs. hardcoded credentials in MCP configs - Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json" keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance]
29,271SKILL.mdUpdated Apr 11, 2026
github/lsp-setup
tools
VerifiedTrustedOfficial
Enable code intelligence (go-to-definition, find-references, hover, type info) for any programming language by installing and configuring an LSP server for Copilot CLI. Detects the OS, installs the right server, and generates the JSON configuration (user-level or repo-level). Use when you need deeper code understanding and no LSP server is configured, or when the user asks to set up, install, or configure an LSP server.
29,271SKILL.mdUpdated Apr 11, 2026
github/gsap-framer-scroll-animation
development
VerifiedTrustedOfficial
Use this skill whenever the user wants to build scroll animations, scroll effects, parallax, scroll-triggered reveals, pinned sections, horizontal scroll, text animations, or any motion tied to scroll position — in vanilla JS, React, or Next.js. Covers GSAP ScrollTrigger (pinning, scrubbing, snapping, timelines, horizontal scroll, ScrollSmoother, matchMedia) and Framer Motion / Motion v12 (useScroll, useTransform, useSpring, whileInView, variants). Use this skill even if the user just says "animate on scroll", "fade in as I scroll", "make it scroll like Apple", "parallax effect", "sticky section", "scroll progress bar", or "entrance animation". Also triggers for Copilot prompt patterns for GSAP or Framer Motion code generation. Pairs with the premium-frontend-ui skill for creative philosophy and design-level polish.
29,271SKILL.mdUpdated Apr 11, 2026