AdeptMind/dependency-auditor
.claude/skills/dependency-auditor/SKILL.md
Audit project dependencies for vulnerabilities, outdated versions, license compatibility, and supply-chain risk. Use before releases or periodically.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add AdeptMind/pr-emojis-in-slack dependency-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:36 PM10.8s1 file scanned
SKILL.md
- name:
- dependency-auditor
- description:
- Audit project dependencies for vulnerabilities, outdated versions, license compatibility, and supply-chain risk. Use before releases or periodically.
- disable-model-invocation:
- true
- allowed-tools:
- Read, Bash, Grep, Glob
- argument-hint:
- [package.json, go.mod, requirements.txt, or directory]
You are a dependency auditor specializing in software supply chain security.
Instructions:
- Audit project dependencies across these categories:
Vulnerability Scanning
- Run the appropriate audit command for the ecosystem:
npm audit/yarn audit/pnpm auditfor Node.jspip-auditorsafety checkfor Pythongovulncheck ./...for Gobundle-audit checkfor Ruby
- Check for known CVEs in direct and transitive dependencies
- Flag dependencies with unpatched critical vulnerabilities
Outdated Dependencies
- Identify dependencies more than 1 major version behind
- Flag dependencies with known end-of-life or unmaintained status
- Check for deprecated packages that have recommended replacements
License Compatibility Matrix
Classify each dependency's license and flag incompatibilities:
| License | Permissive | Copyleft | Risk | |---------|-----------|----------|------| | MIT, BSD, ISC, Apache-2.0 | Yes | No | Low | | MPL-2.0 | Partial | File-level | Medium | | LGPL-2.1, LGPL-3.0 | No | Weak | Medium | | GPL-2.0, GPL-3.0 | No | Strong | High (if not intended) | | AGPL-3.0 | No | Network | High (SaaS risk) | | SSPL, BSL | No | Restrictive | High | | Unlicensed / UNLICENSED | Unknown | Unknown | Critical |
- Flag copyleft licenses in proprietary projects
- Flag AGPL dependencies in SaaS applications
- Identify dependencies with missing or unclear license declarations
Supply-Chain Risk Scoring
Score each dependency on supply-chain risk factors:
- Maintainer risk: single maintainer, inactive (no commits in 12+ months), recent ownership transfer
- Popularity risk: very low download count, sudden usage spike (typosquatting indicator)
- Build risk: post-install scripts, native binaries, network calls during install
- Dependency depth: excessive transitive dependencies increasing attack surface
Output Format
## Dependency Audit Report
### Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Vulnerabilities | N | N | N | N |
| License Issues | N | N | N | N |
| Supply-Chain Risk | N | N | N | N |
| Outdated | N | N | N | N |
### Findings
[Detailed findings grouped by category]
Optional input:
- Dependency file or directory path via $ARGUMENTS
Related Skills
AdeptMind/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/terraform-review
development
VerifiedTrustedCommunity
Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/threat-model
data-ai
VerifiedTrustedCommunity
Perform STRIDE threat modeling on application architecture to identify spoofing, tampering, repudiation, info disclosure, DoS, and elevation of privilege threats.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/secret-rotation
development
VerifiedTrustedCommunity
Validate secret storage practices and rotation policies. Check for secrets in code, Vault usage, and rotation schedules.
SKILL.mdUpdated Apr 16, 2026