Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

7a336e6e/auditing-dependencies

Name: auditing-dependencies
Author: 7a336e6e

security/auditing-dependencies/SKILL.md

npx skillsauth add 7a336e6e/skills auditing-dependencies

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Auditing Dependencies

Goal

Maintain a "clean room" environment where every external package is verified, pinned, and free of known vulnerabilities (CVEs) or malicious maintainer practices.

When to Use

When adding a new dependency.
During weekly maintenance cycles.
When a security alert is published for the tech stack.

Instructions

1. Scan for Known Vulnerabilities

Use ecosystem-specific tools to check against CVE databases.

Node/JS: npm audit or pnpm audit.
Python: pip-audit or safety.
General: GitHub Dependabot alerts (if available).

2. Verify Package Health (Supply Chain Hygiene)

Before installing a package, check:

Maintenance: Last commit date < 6 months ago?
Popularity/Community: Stars, downloads, and active issues.
Maintainer Reputation: Is it a solo dev with no history, or a recognized organization?
Typosquatting: Double-check the spelling (e.g., react vs raect).

3. Pin Versions

Never use loose version ranges in production.

Good: "react": "18.2.0" (Exact version)
Bad: "react": "^18.2.0" (Allows updates that might introduce bugs or malware)
Lockfiles: Ensure package-lock.json, pnpm-lock.yaml, or poetry.lock is committed.

4. Minimize Dependency Tree

Do we need a 5MB library for a function we can write in 10 lines?
"Tree-shaking" only helps bundle size; it doesn't prevent install-time scripts from running.

Constraints

✅ Do

Use a Software Bill of Materials (SBOM) approach: know exactly what is running.
Audit dev dependencies too; they run on developer machines and CI servers.
Automate dependency scanning in the CI/CD pipeline.
Remove unused dependencies immediately.

❌ Don't

DO NOT ignore "moderate" severity alerts if they are easy to exploit.
DO NOT install packages from unverified registries.
DO NOT blind-update all packages without testing.

Output Format

Update package.json / requirements.txt with pinned versions.
AUDIT_LOG.md entry confirming the check.

Dependencies

shared/environment-config/SKILL.md

7a336e6e/auditing-dependencies

security/auditing-dependencies/SKILL.md

Analyze third-party libraries and supply chain risks to ensure no compromised or vulnerable code enters the project.

1 stars

development

Updated Mar 25, 2026

$ install --global

skillsauth

npx skillsauth add 7a336e6e/skills auditing-dependencies

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

70%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 26, 2026, 2:09 AM180.7s1 file scanned

SKILL.md

name:: auditing-dependencies
description:: Analyze third-party libraries and supply chain risks to ensure no compromised or vulnerable code enters the project.

Auditing Dependencies

Goal

Maintain a "clean room" environment where every external package is verified, pinned, and free of known vulnerabilities (CVEs) or malicious maintainer practices.

When to Use

When adding a new dependency.
During weekly maintenance cycles.
When a security alert is published for the tech stack.

Instructions

1. Scan for Known Vulnerabilities

Use ecosystem-specific tools to check against CVE databases.

Node/JS: npm audit or pnpm audit.
Python: pip-audit or safety.
General: GitHub Dependabot alerts (if available).

2. Verify Package Health (Supply Chain Hygiene)

Before installing a package, check:

Maintenance: Last commit date < 6 months ago?
Popularity/Community: Stars, downloads, and active issues.
Maintainer Reputation: Is it a solo dev with no history, or a recognized organization?
Typosquatting: Double-check the spelling (e.g., react vs raect).

3. Pin Versions

Never use loose version ranges in production.

Good: "react": "18.2.0" (Exact version)
Bad: "react": "^18.2.0" (Allows updates that might introduce bugs or malware)
Lockfiles: Ensure package-lock.json, pnpm-lock.yaml, or poetry.lock is committed.

4. Minimize Dependency Tree

Do we need a 5MB library for a function we can write in 10 lines?
"Tree-shaking" only helps bundle size; it doesn't prevent install-time scripts from running.

Constraints

✅ Do

Use a Software Bill of Materials (SBOM) approach: know exactly what is running.
Audit dev dependencies too; they run on developer machines and CI servers.
Automate dependency scanning in the CI/CD pipeline.
Remove unused dependencies immediately.

❌ Don't

DO NOT ignore "moderate" severity alerts if they are easy to exploit.
DO NOT install packages from unverified registries.
DO NOT blind-update all packages without testing.

Output Format

Update package.json / requirements.txt with pinned versions.
AUDIT_LOG.md entry confirming the check.

Dependencies

shared/environment-config/SKILL.md

Related Skills

7a336e6e/Test Driven Development

development

VerifiedTrustedCommunity

Implement features using the Red-Green-Refactor cycle to ensure testability and correctness from the start.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/Test Driven Development

7a336e6e/task-tracking

data-ai

VerifiedTrustedCommunity

Manage the `tasks.md` ledger with strict locking and collision avoidance protocols to allow multiple agents to work in parallel safely.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/task-tracking

7a336e6e/git-workflow

development

VerifiedTrustedCommunity

The git-workflow skill defines branching conventions, commit message formats, and pull request standards that all agents must follow for consistent version control.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/git-workflow

7a336e6e/environment-config

development

VerifiedTrustedCommunity

The environment-config skill standardizes how agents manage environment variables, secrets, and application configuration across local development and deployed environments.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/environment-config

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/7a336e6e/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/security/auditing-dependencies ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

7a336e6e/skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT