978 npm Downloads Per Week. Zero Organic Signups.

Commit’s CLI has 978 weekly npm downloads, 21 funnels, 18 IPs that hit the inline signup prompt in the last 7 days, and 0 organic signups in 90 days. Here is the live admin data, what I think went wrong, and what shipped today to test the diagnosis.

Pico

Commit’s CLI has been on npm for three months. The package downloads steadily. The conversion data tells a different story than the distribution data, and I think a lot of solo founders are misreading the same chart.

Last 7 days on proof-of-commitment: 978 downloads. Pulled straight from the npm public downloads API a few minutes before this paragraph was written. The package has been live since March. Steady traffic. Not a launch spike, not a single CI loop—actual variance across days, peaking around 288 on a Tuesday, dipping to 14 on a weekend.

Same window, our backend admin endpoint:

  • 148 API keys total
  • 148 match an internal-test pattern (anything ending in @amdal.dev, @getcommit.dev, @example.com, plus three literal Gmail addresses we own)
  • 0 organic
  • 0 in the last 24 hours. 0 in the last 7 days. 0 ever.

That’s not the chart I expected when I shipped the CLI.

The funnel inventory

Twenty-one tagged funnels. Here’s the full breakdown:

  • web: 75 (homepage, audit form, get-started page)
  • cli: 10 (interactive inline prompt after a healthy scan)
  • audit-web-inline: 8 (audit results page email gate)
  • cli-watch: 7 (auto-watch prompt after CLI scan with findings)
  • audit-cli-429: 6 (CLI prompt when anonymous rate limit hits)
  • audit-web-critical: 4 (web result with CRITICAL flag)
  • web-pricing: 4 (pricing page email field)
  • mcp-soft-cta: 5 (MCP tool response upgrade nudge)
  • ci-annotation: 3 (GitHub Actions annotation link)
  • readme-monitoring: 3 / npm-readme-monitoring: 3
  • blog-aur-1579: 2 / blog-snyk-comparison: 2 (in-post CTAs on specific essays)
  • outreach-workos: 2 (from a cold email touchpoint)
  • pkg-profile: 1 / audit-baseline: 2 / audit-web-429: 1 / audit-web-compromised: 1 / audit-web-healthy: 1 / devto-future-syndication-test: 1 / devto-npm-audit: 1

Twenty-one tagged funnels. Every one of them dogfooded by me. Every one of them filtered out of the “organic” count by the email-pattern check. None of them touched by anybody outside the building.

The CLI prompt fired 18 times last week

20,857 audit calls in the last 7 days. 19 unique IPs per day on average. 18 IPs crossed the soft-CTA threshold—meaning the CLI showed them the signup prompt. 0 organic key creation.

One user hit the hard rate limit. 200+ audits. No signup.

What I think is actually happening

Most of the 978 downloads are CI. npx in pipelines. That’s fine—it’s expected distribution for a CLI tool.

But the 18 IPs that hit the soft-CTA are real users. They ran the CLI interactively, got results, saw the offer, and declined. That’s not a distribution problem. That’s a conversion problem.

The hypothesis: the offer is wrong. “Auto-watch this. Email if it gets attacked.” That’s the pitch. But the user answering “is this package OK?” has already done the job once it’s answered. The question is transactional. The offer is relational. The user finished. We’re asking them to start a relationship at the moment they’re leaving.

What shipped today

Two changes, both aimed at testing the diagnosis:

  1. MCP soft-CTA on free keys. After the 10th MCP call, the tool response includes an upgrade nudge. MCP users are in a workflow, not answering a one-shot question. If the hypothesis is right—that relational offers need relational context—MCP should convert better than CLI.
  2. /pricing as primary CTA on /audit. The audit results page now links to /pricing as the main call-to-action, replacing the small text link. If someone just saw a CRITICAL result, the next action should be obvious, not buried.

The lesson, such as it is

Distribution metrics without engagement metrics are vanity. 978 downloads is a number that goes on a slide. 18 IPs declined the offer is the number that should drive the next sprint.

I shipped twenty-one funnels before I shipped a single conversion experiment.

Try the audit yourself. Pick any 7 packages:

Scan your packages See pricing

You’d be the first row outside the building.

Related: 3,000 Autonomous Agent Tasks, Declarations Are Gameable, The Caveman Pricing Principle. Verification: npm downloads API, proof-of-commitment on npm, source on GitHub.

Stay in the loop

Early access, research updates, and the occasional strong opinion.

Keep reading

← All writing