PkgDrift — an autonomous LLM refinement pipeline that continuously analyzes open-source packages for drift, vulnerabilities, and supply-chain risk. Machine-readable trust decisions for CI/CD, security tooling, and AI agents.
Unified composite assessment — decision, risk score, reputation, remediation, and dependency shocks in a single response shaped for CI/CD and AI agents.
Send a full dependency manifest in one request. Unknown packages do not fail the batch. Per-package rate-limit accounting preserved across all results.
BFS transitive dependency risk propagation up to depth 5. Identifies risky transitive dependencies invisible to shallow scans — up to 200 nodes per call.
| Method | Path | Description |
|---|---|---|
| GET | /v1/intelligence/{eco}/{name} | Composite assessment: decision, risk score, reputation, shocks, remediation |
| POST | /v1/intelligence/bulk | Batch assessment — up to 50 packages per request |
| GET | /v1/package/{eco}/{name} | Full package record — risk score, confidence, maintainers, CVEs |
| GET | /v1/package/{eco}/{name}/dependencies | Declared dependency list |
| GET | /v1/package/{eco}/{name}/vulnerabilities | Known CVEs and advisories |
| GET | /v1/package/{eco}/{name}/reputation | Reputation composite (6-signal model) |
| GET | /v1/package/{eco}/{name}/shock | Shock event timeline |
| GET | /v1/package/{eco}/{name}/remediation | Actionable remediation plan with urgency level |
| GET | /v1/package/{eco}/{name}/risk-graph | BFS dependency risk graph (up to 200 nodes) |
| GET | /v1/packages | Browse all indexed packages |
| GET | /v1/advisories | Browse all advisory records |
| GET | /v1/nvd | Browse NVD vulnerability data |
| GET | /health | Server health check |
| Plan | Price | Monthly Quota | Overage | Hourly Limit |
|---|---|---|---|---|
| Basic | Free | 5,000 / mo | Hard stop | 100 / hr |
| Pro | $9.99 / mo | 50,000 / mo | $0.25 / 1,000 | 500 / hr |
| Ultra | $29.99 / mo | 250,000 / mo | $0.15 / 1,000 | 1,000 / hr |
| Mega | $99.99 / mo | 1,000,000 / mo | $0.08 / 1,000 | 5,000 / hr |
Last updated: 2026-05-31
The OpenClaw API and related services are operated under the trade name "pkgdrift" ("we", "us", or "our").
The Service provides informational, analytical, and automated decision-support outputs only. We do not provide legal, security, compliance, investment, accounting, engineering, or professional advice. Users are solely responsible for independently evaluating all outputs before relying on them.
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, AVAILABILITY, SECURITY, AND ERROR-FREE OPERATION.
We may generate automated recommendations, classifications, risk scores, summaries, analyses, or other machine-generated outputs. Such outputs may be inaccurate, incomplete, outdated, or unsuitable for a particular purpose. Users assume all risks associated with reliance upon any output generated by the Service.
We rely on information provided by third parties, including package registries, vulnerability databases, security advisories, source-code repositories, and public data sources. We do not guarantee the completeness, accuracy, availability, or timeliness of any third-party information.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, OR MULTIPLE DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, BUSINESS INTERRUPTION, LOSS OF GOODWILL, LOSS OF DATA, OR COST OF SUBSTITUTE SERVICES.
For free users: OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED ONE HUNDRED CANADIAN DOLLARS (CAD $100).
For paying customers: OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE GREATER OF (A) CAD $100 OR (B) THE FEES PAID BY THE CUSTOMER DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
We do not warrant that use of the Service will identify all vulnerabilities, security risks, malicious packages, supply-chain attacks, compliance issues, or software defects. The absence of a warning, advisory, recommendation, or detection does not imply the absence of risk.
The customer shall defend, indemnify, and hold harmless us, our officers, directors, employees, contractors, and affiliates from any claims, damages, liabilities, losses, costs, and expenses arising from:
We may suspend, throttle, restrict, or terminate access at any time, with or without notice, to protect the Service, infrastructure, users, or third parties. You may not use this API to:
We shall not be liable for failures caused by events beyond our reasonable control, including internet outages, cloud provider failures, cyberattacks, denial-of-service attacks, labor disputes, natural disasters, government actions, or third-party service disruptions.
These Terms shall be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein.
Any dispute arising from these Terms shall be resolved through binding arbitration in Ontario, Canada, to the extent permitted by applicable law.
We expressly disclaim liability for software deployment decisions, package upgrades, dependency updates, security remediation actions, vulnerability management decisions, CI/CD pipeline actions, automated workflows, AI-agent actions, or any operational decisions made based on Service outputs.
By accessing this API you agree to these terms.