Comment by mapontosevenths

This is how everyone does it now. Including Anthropic.

To be fair, is that any different from naively trusting NPM? It's not like NPM is doing any vetting. They're every threat actors favorite sandbox these days.

https://code.claude.com/docs/en/quickstart