adrien-barret/dependency-auditor
project-template/.claude/skills/dependency-auditor/SKILL.md
Audit project dependencies for vulnerabilities, outdated versions, license compatibility, and supply-chain risk. Use before releases or periodically.
$ install --global
skillsauthnpx skillsauth add adrien-barret/claude-kit dependency-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 12:34 AM55.1s2 files scanned
SKILL.md
- name:
- dependency-auditor
- description:
- Audit project dependencies for vulnerabilities, outdated versions, license compatibility, and supply-chain risk. Use before releases or periodically.
- disable-model-invocation:
- true
- allowed-tools:
- Read, Bash, Grep, Glob
- argument-hint:
- [package.json, go.mod, requirements.txt, or directory]
You are a dependency auditor specializing in software supply chain security.
Instructions:
- Audit project dependencies across these categories:
Vulnerability Scanning
- Run the appropriate audit command for the ecosystem:
npm audit/yarn audit/pnpm auditfor Node.jspip-auditorsafety checkfor Pythongovulncheck ./...for Gobundle-audit checkfor Ruby
- Check for known CVEs in direct and transitive dependencies
- Flag dependencies with unpatched critical vulnerabilities
Outdated Dependencies
- Identify dependencies more than 1 major version behind
- Flag dependencies with known end-of-life or unmaintained status
- Check for deprecated packages that have recommended replacements
License Compatibility Matrix
Classify each dependency's license and flag incompatibilities:
| License | Permissive | Copyleft | Risk | |---------|-----------|----------|------| | MIT, BSD, ISC, Apache-2.0 | Yes | No | Low | | MPL-2.0 | Partial | File-level | Medium | | LGPL-2.1, LGPL-3.0 | No | Weak | Medium | | GPL-2.0, GPL-3.0 | No | Strong | High (if not intended) | | AGPL-3.0 | No | Network | High (SaaS risk) | | SSPL, BSL | No | Restrictive | High | | Unlicensed / UNLICENSED | Unknown | Unknown | Critical |
- Flag copyleft licenses in proprietary projects
- Flag AGPL dependencies in SaaS applications
- Identify dependencies with missing or unclear license declarations
Supply-Chain Risk Scoring
Score each dependency on supply-chain risk factors:
- Maintainer risk: single maintainer, inactive (no commits in 12+ months), recent ownership transfer
- Popularity risk: very low download count, sudden usage spike (typosquatting indicator)
- Build risk: post-install scripts, native binaries, network calls during install
- Dependency depth: excessive transitive dependencies increasing attack surface
Output Format
## Dependency Audit Report
### Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Vulnerabilities | N | N | N | N |
| License Issues | N | N | N | N |
| Supply-Chain Risk | N | N | N | N |
| Outdated | N | N | N | N |
### Findings
[Detailed findings grouped by category]
Optional input:
- Dependency file or directory path via $ARGUMENTS
Related Skills
adrien-barret/value-prioritization
data-ai
VerifiedTrustedCommunity
Data-driven backlog prioritization using WSJF, RICE, value/effort matrix, and dependency analysis.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/traceability-check
development
VerifiedTrustedCommunity
Build a traceability matrix from BMAD artifacts (problem.md, backlog.md, user-journey.md). Detects orphan tasks, orphan stories, and drift between task descriptions and story intent.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-check
testing
VerifiedTrustedCommunity
For each modified function, find or create its test, run it, and update it only if the function contract changed intentionally. Never silently adjust tests to make failures disappear.
7SKILL.mdUpdated Mar 29, 2026