Wilder1222/dependency-audit
skills/dependency-audit/SKILL.md
Dependency security, license, and freshness audit. Dispatches dependency-auditor agent to scan all package managers. Triggers: "dependency audit", "check dependencies", "npm audit", "security scan", "check for vulnerabilities", "outdated packages", "license check".
$ install --global
skillsauthnpx skillsauth add Wilder1222/superomni dependency-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 2:25 AM144.9s2 files scanned
SKILL.md
- name:
- dependency-audit
- description:
- |
- Triggers:
- dependency audit", "check dependencies", "npm audit", "security scan",
- allowed-tools:
- [Bash, Read, Write, Edit, Grep, Glob]
- when_to_use:
- |
- Use when auditing dependencies for security (npm audit), outdated packages, or license compliance. Triggers:
- dependency audit", "npm audit", "security scan", "outdated packages", "license check". Complements code-review (which audits application code, not deps).
- produces:
- ~
- consumes:
- ~
<!-- Inlined into every SKILL.md via {{PREAMBLE_CORE}}. Keep ≤30 lines. -->
Phase 2: Dispatch
Preamble (Core)
Status protocol — end every session with one of: DONE (evidence provided) · DONE_WITH_CONCERNS (list each) · BLOCKED (state what blocks you) · NEEDS_CONTEXT (state what you need).
Auto-advance — pipeline: THINK → PLAN → REVIEW → BUILD → VERIFY → RELEASE. Only human gate is spec approval at THINK. On DONE at other stages, print [STAGE] DONE -> advancing to [NEXT-STAGE] and invoke the next skill. On any non-DONE status at any stage, STOP.
Output directory — all artifacts go in docs/superomni/<kind>/<kind>-[branch]-[session]-[date].md. See CLAUDE.md for the full directory map.
TACIT-DENSE — before high-tacit decisions, classify D1 (domain expertise) · D2 (user-facing UX) · D3 (team culture) · D4 (novel pattern). On hit, output TACIT-DENSE [D#]: [question] — My default: [recommendation]. See reference for actions.
Anti-sycophancy — take a position on every significant question. Name flaws directly. No filler ("that's interesting", "you might consider", "that could work").
Telemetry (local only) — at session end, log bin/analytics-log. Nothing leaves the machine.
See preamble-ref.md for detailed protocols.
Dependency Audit
Goal: Systematically audit all project dependencies for security vulnerabilities, license compliance, and staleness — then produce an actionable remediation plan.
Iron Law: No P0 CVEs Before Deploy
A dependency with a known critical CVE and an available fix is a P0 blocker. No exceptions. The deployment gate is VERDICT: APPROVED from the dependency-auditor report.
Good Example (Proper Audit Gate)
Production Readiness check includes dependency audit
dependency-auditor finds: [email protected] — CVE-2022-24999 (critical) — fix: [email protected]
Action: npm update [email protected] → re-audit → APPROVED
Deploy proceeds
Bad Example (AVOID)
"Audit passed last month, skip for now"
[VIOLATED: CVEs are disclosed daily — audit must happen before every deploy]
Phase 1: Package Manager Discovery
Identify all dependency manifests in the project:
# Find all package manifests
echo "=== npm/node ==="
find . -name "package.json" -not -path "*/node_modules/*" | head -5
echo "=== python ==="
find . \( -name "requirements*.txt" -o -name "Pipfile" -o -name "pyproject.toml" \) \
-not -path "*/.git/*" | head -5
echo "=== go ==="
find . -name "go.mod" -not -path "*/.git/*" | head -3
echo "=== ruby ==="
find . -name "Gemfile" -not -path "*/.git/*" | head -3
echo "=== rust ==="
find . -name "Cargo.toml" -not -path "*/.git/*" | head -3
echo "=== java ==="
find . \( -name "pom.xml" -o -name "build.gradle" \) -not -path "*/.git/*" | head -3
Record what was found:
PACKAGE MANAGERS FOUND
────────────────────────────────────────
npm: [manifest files found | none]
pip: [manifest files found | none]
go: [manifest files found | none]
ruby: [manifest files found | none]
rust: [manifest files found | none]
java: [manifest files found | none]
────────────────────────────────────────
Phase 2: Dispatch planner-reviewer Agent (Security Audit, Dependency Mode)
Dispatch the planner-reviewer agent in security audit mode (dependency sub-mode) with:
- The list of all package manifests found in Phase 1
- Explicit instruction to run Phase 4: Dependency Audit (OWASP A06) and skip code scanning
- The production context (pre-deploy or routine audit?)
The agent will:
- Run CVE scans across all discovered package managers (npm audit, pip-audit, cargo audit, etc.)
- Classify findings by severity (P0/P1/P2/P3)
- Return a SECURITY AUDIT REPORT focused on the
DEPENDENCIES (OWASP A06)section with verdictAPPROVED/APPROVED_WITH_NOTES/CHANGES_REQUIRED
Handoff:
APPROVED→ proceed to Phase 3 summaryAPPROVED_WITH_NOTES→ note P1/P2 findings for next sprint backlogCHANGES_REQUIRED→ P0 CVEs found; apply remediation commands before re-auditingBLOCKED→ package manager tools not available; install tools and retry
Phase 3: Triage Findings
For each finding returned by the agent:
Security Triage
| Severity | Action | Timeline | |----------|--------|----------| | P0 Critical (CVSS ≥ 9.0) | Block deploy; fix immediately | Before any deployment | | P1 High (CVSS 7-8.9) | Fix before next release | Within current sprint | | P2 Medium (CVSS 4-6.9) | Fix if easy; backlog if not | Within next 2 sprints | | P3 Low (CVSS < 4) | Backlog | Opportunistic |
License Triage
| License type | Action | |-------------|--------| | GPL/AGPL in production | Legal review required before deploy | | Unknown license | Legal review required | | LGPL (dynamic link only) | Usually OK — confirm with legal | | MIT/Apache/BSD/ISC | No action needed |
Phase 4: Apply P0 Remediation
For each P0 finding, apply the exact remediation command from the agent's report:
# Example npm remediations (agent will provide actual commands)
# npm update vulnerable-package@safe-version
# npm audit fix --force (only if agent recommends)
# Verify fix applied
npm audit 2>&1 | grep -E "critical|high" | head -10
After applying remediations, re-run the test suite:
npm test 2>&1 | tail -10
If tests fail after upgrade → the dependency has a breaking change. Escalate to user.
Phase 5: Audit Report
DEPENDENCY AUDIT COMPLETE
════════════════════════════════════════
Scope: [package managers audited]
Date: [YYYY-MM-DD]
Security:
P0 Critical: [N] — [fixed | outstanding]
P1 High: [N]
P2 Medium: [N]
P3 Low: [N]
License:
Copyleft risk: [N packages — names]
Unknown: [N packages — names]
Freshness:
Major versions behind: [N packages]
Verdict: APPROVED | APPROVED_WITH_NOTES | CHANGES_REQUIRED
Remediation applied:
[package@version] — [CVE fixed]
Backlog items (P1/P2):
[package] — [finding] — fix by [sprint/date]
Status: DONE | DONE_WITH_CONCERNS | BLOCKED
════════════════════════════════════════
Save Audit Artifact
mkdir -p docs/superomni/evaluations
_BRANCH=$(git branch --show-current 2>/dev/null | tr '/' '-' || echo "unknown")
_DATE=$(date +%Y%m%d)
_AUDIT_FILE="docs/superomni/evaluations/dependency-audit-${_BRANCH}-${_DATE}.md"
echo "Dependency audit saved to ${_AUDIT_FILE}"
Write the full DEPENDENCY AUDIT COMPLETE report block to $_AUDIT_FILE.
Related Skills
Wilder1222/refactoring
development
VerifiedTrustedCommunity
Systematic, behavior-preserving code refactoring with safety gates. Dispatches refactoring-agent. Triggers: "refactor", "clean up code", "reduce tech debt", "extract method", "rename". NOT for reactive PR feedback — use code-review for that.
1SKILL.mdUpdated Apr 25, 2026
Wilder1222/framework-management
development
VerifiedTrustedCommunity
Meta-skill: create, install, list, and manage skills and agents within the superomni framework. Merges writing-skills + agent-management into one unified workflow. Triggers: "create skill", "write a skill", "install skill", "list skills", "create agent", "write an agent", "install agent", "list agents", "new skill", "new agent", "add skill", "add agent", "manage framework".
1SKILL.mdUpdated Apr 25, 2026
Wilder1222/writing-skills
development
VerifiedTrustedCommunity
Meta-skill: use when creating a new skill for the superomni framework. Guides through the process of designing and writing a well-structured skill. Triggers: "create a new skill", "write a skill for", "add a skill that".
1SKILL.mdUpdated Apr 23, 2026
Wilder1222/writing-plans
documentation
VerifiedTrustedCommunity
Use when turning a spec or idea into a concrete, executable implementation plan. Triggers: "write a plan", "plan this out", "create implementation plan", "how should we implement".
1SKILL.mdUpdated Apr 23, 2026