
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
agent-primer
Advanced tools
Prime your Agent sessions with preloaded skills from ~/.claude/skills and ./.claude/skills
Prime your agent sessions with preloaded skills and domain knowledge.
Agent Primer cuts through the noise of available skills by letting you assert what matters for each session. Selected primitives are injected into the system prompt so the agent has the right context from the first message.
# With bun (recommended)
bun install -g agent-primer
# With npm
npm install -g agent-primer
Requires Bun runtime and Claude Code CLI
# Launch the interactive wizard
ap
# List all available primitives
ap --list
# Dangerous mode (skips permission prompts)
apx
ap # Standard mode
apx # Dangerous mode (skips permission prompts)
agent-primer # Full command name
ap--append-system-promptAgent Primer uses the concept of "primitives" -- units of knowledge that can be preloaded into an agent session. Each primitive type serves a different purpose.
Behavioral patterns and best practices. Skills tell the agent how to work: coding standards, review processes, tool-specific patterns.
~/.claude/skills/
└── my-skill/
├── SKILL.md # Required: main skill file
└── references/ # Optional: additional context
├── patterns.md
└── examples.md
SKILL.md uses YAML frontmatter:
---
name: my-skill
description: Brief description shown in the selector
---
# My Skill
Instructions, patterns, and best practices for the agent to follow.
Reference knowledge about a subject area. Domains tell the agent what it is working with: business context, specifications, terminology, architecture docs.
~/.claude/domains/
└── my-domain/
├── DOMAIN.md # Required: main domain file
└── references/ # Optional: deeper reference material
├── glossary.md
└── api-spec.md
DOMAIN.md uses YAML frontmatter:
---
name: my-domain
description: Brief description shown in the selector
---
# My Domain
Core concepts, terminology, and reference material.
| Location | Scope | Primitive Types |
|---|---|---|
~/.claude/skills/ | Global | Skills available in all projects |
./.claude/skills/ | Local | Project-specific skills |
~/.claude/domains/ | Global | Domains available in all projects |
./.claude/domains/ | Local | Project-specific domains |
Items are labeled [global] or [local] in the picker.
| Command | Description |
|---|---|
ap | Standard mode - prompts for permissions |
apx | Dangerous mode - auto-passes --dangerously-skip-permissions |
agent-primer | Full command (same as ap) |
-h, --help Show help message
-l, --list List available primitives and exit
--clear-recent Clear the recent selections cache
Use -- to separate agent-primer options from Claude options:
ap -- --model opus # Use Opus model
ap -- --model sonnet # Use Sonnet model
ap -- -p "prompt" # Non-interactive prompt mode
ap -- -c # Continue previous conversation
# Interactive wizard
ap
# List everything available
ap --list
# Dangerous mode with Opus
apx -- --model opus
# Non-interactive with preloaded primitives
ap -- -p "refactor this function"
# Clear the recent selections cache
ap --clear-recent
--append-system-promptRecent selections are cached at ~/.cache/agent-primer/recent.json to
surface frequently used items first in the picker.
# Clear the cache
ap --clear-recent
MIT
FAQs
Prime your Agent sessions with preloaded skills from ~/.claude/skills and ./.claude/skills
The npm package agent-primer receives a total of 4 weekly downloads. As such, agent-primer popularity was classified as not popular.
We found that agent-primer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.