alirezarezvani/dependency-auditor
skills/security/dependency-auditor/SKILL.md
Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
$ install --global
skillsauthnpx skillsauth add alirezarezvani/claude-code-tresor dependency-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 3:33 PM4.5s2 files scanned
SKILL.md
- name:
- dependency-auditor
- description:
- Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
- allowed-tools:
- Bash, Read
Dependency Auditor Skill
Automatic dependency vulnerability checking.
When I Activate
- ✅ package.json modified
- ✅ requirements.txt changed
- ✅ Gemfile or pom.xml modified
- ✅ User mentions dependencies or vulnerabilities
- ✅ Before deployments
- ✅ yarn.lock or package-lock.json changes
What I Check
Dependency Vulnerabilities
- Known CVEs in packages
- Outdated dependencies with security fixes
- Malicious packages
- License compatibility issues
- Deprecated packages
Package Managers Supported
- Node.js: npm, yarn, pnpm
- Python: pip, pipenv, poetry
- Ruby: bundler
- Java: Maven, Gradle
- Go: go modules
- PHP: composer
Example Alerts
NPM Vulnerability
# You run: npm install lodash
# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: [email protected]
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
Recommendation: Update to [email protected] or higher
Python Vulnerability
# You modify requirements.txt: django==2.2.0
# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: [email protected]
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571
Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to [email protected]+
Multiple Vulnerabilities
# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
- 3 CRITICAL
- 2 HIGH
- 2 MEDIUM
- 1 LOW
Critical issues:
1. [email protected] - SSRF vulnerability
Fix: npm install axios@latest
2. [email protected] - Prototype pollution
Fix: npm install ajv@^8.0.0
3. [email protected] - Information disclosure
Fix: npm install node-fetch@^2.6.7
Run 'npm audit fix' to automatically fix 6/8 issues
Automatic Actions
On Dependency Changes
1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes
Audit Commands
# Node.js
npm audit
npm audit --json # Structured output
# Python
pip-audit
safety check
# Ruby
bundle audit
# Java (Maven)
mvn dependency-check:check
Severity Classification
CRITICAL 🚨
- Remote code execution
- SQL injection
- Authentication bypass
- Publicly exploitable
HIGH ⚠️
- Cross-site scripting
- Denial of service
- Information disclosure
- Wide attack surface
MEDIUM 📋
- Limited impact vulnerabilities
- Requires specific conditions
- Difficult to exploit
LOW 💡
- Minor security improvements
- Best practice violations
- Minimal risk
Fix Strategies
Automatic Updates
# Safe automatic fixes
npm audit fix
# May include breaking changes
npm audit fix --force
Manual Updates
# Check what will change
npm outdated
# Update specific package
npm update lodash
# Major version update
npm install lodash@latest
Alternative Packages
Vulnerable: [email protected] (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
Integration with CI/CD
Block Deployments
# .github/workflows/security.yml
- name: Dependency audit
run: |
npm audit --audit-level=high
# Fails if HIGH or CRITICAL found
Scheduled Audits
# Weekly dependency check
on:
schedule:
- cron: '0 0 * * 0'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm audit
Sandboxing Compatibility
Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access
Sandbox config:
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org",
"repo.maven.apache.org"
]
}
}
License Checking
I also check license compatibility:
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: [email protected]
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
Best Practices
- Regular audits: Run weekly or on every dependency change
- Update frequently: Keep dependencies current
- Review breaking changes: Test before major updates
- Pin versions: Use exact versions in production
- Audit lock files: Commit and audit lock files
Related Tools
- security-auditor skill: Code vulnerability detection
- @architect sub-agent: Dependency strategy
- /review command: Pre-deployment security check
Related Skills
alirezarezvani/security-auditor
development
VerifiedTrustedCommunity
Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/secret-scanner
development
VerifiedTrustedCommunity
Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/readme-updater
development
VerifiedTrustedCommunity
Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/api-documenter
development
VerifiedTrustedCommunity
Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.
662SKILL.mdUpdated Apr 3, 2026