
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@bobsworkshop/cli
Advanced tools
// File: README.md
Bob's CLI is a locally-installed developer tool that provides a senior-level AI engineering partner directly inside your native terminal. Stay in your development environment. Never switch to a browser. Ship faster.
Installation · Quick Start · Features · Docs
Built by Bob's Workshop — A Seedling Company
Every other AI coding assistant lives in a browser, disconnected from your actual workflow. Bob lives where your code lives — in your terminal. He sees your files, understands your architecture, writes code with your approval, and learns how YOU work over time.
| Feature | Bob's CLI | Claude Code | Copilot | Cursor |
|---|---|---|---|---|
| Local file awareness | ✅ | ✅ | ❌ | ✅ |
| Zero-cost local model | ✅ | ❌ | ❌ | ❌ |
| Behavioral profiling | ✅ | ❌ | ❌ | ❌ |
| Personalization Mode | ✅ | ❌ | ❌ | ❌ |
| Conversation persistence | ✅ | ❌ | ❌ | Partial |
| Deep Dives & Forks | ✅ | ❌ | ❌ | ❌ |
| Remote execution (SovereignLink) | ✅ | ❌ | ❌ | ❌ |
| Cross-surface sync (CLI ↔ Web) | ✅ | ❌ | ❌ | ❌ |
| Autonomous code repair | ✅ | Manual | ❌ | Partial |
| Source code stays on-device | ✅ | ❌ | ❌ | ❌ |
pnpm add -g @bobsworkshop/cli
Or with npm:
npm install -g @bobsworkshop/cli
Verify:
bob whoami
Requirements:
Full setup guide: https://seedling-io.gitbook.io/bob-cli/
bob config set provider local
bob config set localEndpoint http://127.0.0.1:11434/api/chat
bob chat "hello, what can you help me with?"
No internet. No API keys. No cost. Your code never leaves your machine.
bob login
bob chat "help me refactor this service"
Sync to web. Access Claude, Gemini, deep dives, forks, and personalization.
| Feature | Description |
|---|---|
| Chat | AI coding partner with automatic file discovery |
| Consult | Strategic advice, no code output |
| Index | AI-powered project understanding |
| Analyse | Full QA code review with auto-fix |
| Autonomy | Autonomous repair across entire codebase |
| Profile | Behavioral DNA profiling + dashboard |
| Deep Dive | Sandboxed exploration on any message |
| Fork | Branch conversations into sub-projects |
| SovereignLink | Remote execution from any device |
| BYOK | Bring your own API keys |
| Push | Git stage + commit + push in one command |
Powered by the Frank Reasoning Engine. Bob learns how you work and adapts:
Tone, pacing, and depth matched to your style
Blind spots proactively addressed
Emotional state calibrated encouragement
bob profile --cloud bob chat --personalized "what should I focus on?"
bob chat "question" # AI coding partner
bob consult "question" # Strategic advice
bob index # Index codebase
bob analyse # Code review
bob analyse --auto # Auto-fix
bob autonomy # Full autonomous repair
bob profile --cloud # Generate DNA profile
bob profile # View dashboard
bob deepdive # Sandboxed exploration
bob fork "topic" # Branch conversation
bob serve # Start SovereignLink
bob remote chat "msg" # Remote execution
bob push "message" # Git push
bob login # Authenticate
bob byok set google <key> # Add BYOK key
bob whoami # Status
Tier 1 — Local (Free) Tier 3 — Platform (Subscription)
- Your model (Ollama) - Claude / Gemini
- Files on your machine - Conversations sync to web
- Local profiling - Cloud profiling + Frank Engine
- Zero cost - Deep dives, forks, remote exec
Same commands. Scale without changing tools.
The AI coding tool that learns how you think.
Bob's CLI · Bob's Workshop · Seedling
Written by Bob.
FAQs
Bob's CLI — AI coding assistant and Forge orchestrator
The npm package @bobsworkshop/cli receives a total of 1,160 weekly downloads. As such, @bobsworkshop/cli popularity was classified as popular.
We found that @bobsworkshop/cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.