abzhaw/dependency-audit
meta/agents/security-agent/skills/04-dependency-audit/SKILL.md
Scan all npm packages across all services for known CVEs and outdated critical packages
testing
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add abzhaw/juliaz_agents dependency-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 12:35 PM53.2s1 file scanned
SKILL.md
- name:
- dependency-audit
- description:
- Scan all npm packages across all services for known CVEs and outdated critical packages
Skill: Dependency Audit
Purpose
Third-party npm packages are the #1 supply-chain attack vector. This skill runs npm audit across every service and flags anything with a known CVE.
Services to Scan
orchestrator/bridge/frontend/cowork-mcp/backend/
What It Checks
- Known CVEs in installed packages (
npm audit --json) - Severity: critical, high, moderate, low
- Direct vs. transitive dependencies
- Packages with no recent updates (>2 years stale)
Commands
# Run audit across all services
for service in orchestrator bridge frontend cowork-mcp backend; do
echo "=== $service ==="
npm audit --json --prefix /Users/raphael/juliaz_agents/$service 2>/dev/null \
| python3 -c "
import json, sys
d = json.load(sys.stdin)
vulns = d.get('vulnerabilities', {})
for name, info in vulns.items():
sev = info.get('severity', 'unknown')
print(f' [{sev.upper()}] {name}: {info.get(\"title\",\"\")}')
"
done
Severity Rules
| Finding | Severity | |---------|----------| | Critical CVE in direct dependency | 🔴 Critical | | High CVE in direct dependency | 🟠 High | | Critical/High in transitive dep | 🟡 Medium | | Moderate/Low CVE | 🟢 Low | | Package >2 years without update | 🟢 Low |
Output Format
DEPENDENCY AUDIT
orchestrator: ✅ 0 vulnerabilities
bridge: ⚠️ 1 HIGH — axios: SSRF via redirect (CVE-2023-45857)
frontend: ✅ 0 vulnerabilities
backend: 🔴 1 CRITICAL — lodash: prototype pollution (CVE-2021-23337)
cowork-mcp: ✅ 0 vulnerabilities
Related Skills
abzhaw/thesis-tracker
development
VerifiedTrustedCommunity
Fortschrittsverfolgung der Masterarbeit. Wortanzahl pro Kapitel, Fertigstellungsgrad, fehlende Elemente, Deadlines. Haelt den Ueberblick.
SKILL.mdUpdated Mar 27, 2026
abzhaw/thesis-structure
development
VerifiedTrustedCommunity
Kapitelarchitektur und Gliederung der Masterarbeit. Verwaltet die Struktur, schlaegt vor wo Inhalte hingehoeren, validiert den logischen Fluss zwischen Kapiteln.
SKILL.mdUpdated Mar 27, 2026
abzhaw/session-synthesizer
tools
VerifiedTrustedCommunity
Konvertiert Protokolleinträge und Session-Logs in thesis-fähiges deutsches Narrativ. Transformiert Entwicklungsdokumentation in akademische Prosa.
SKILL.mdUpdated Mar 27, 2026
abzhaw/research-scout
research
VerifiedTrustedCommunity
Sucht und analysiert akademische Literatur. Findet relevante Papers, erstellt strukturierte Zusammenfassungen. Zitiert NIEMALS — schlaegt nur vor.
SKILL.mdUpdated Mar 27, 2026