qte77/scanning-dependencies
plugins/security-audit/skills/scanning-dependencies/SKILL.md
Scan project dependencies for vulnerabilities, license issues, and supply chain risks. Use when auditing third-party packages or before releases.
$ install --global
skillsauthnpx skillsauth add qte77/claude-code-plugins scanning-dependenciesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 2:51 AM38.2s1 file scanned
SKILL.md
- name:
- scanning-dependencies
- description:
- Scan project dependencies for vulnerabilities, license issues, and supply chain risks. Use when auditing third-party packages or before releases.
- compatibility:
- Designed for Claude Code
- allowed-tools:
- Read, Grep, Glob, Bash, WebSearch, WebFetch
- argument-hint:
- [project-root]
- stability:
- stable
Dependency Vulnerability Scan
Scope: $ARGUMENTS
When to Use
- Pre-release dependency audit
- Investigating CVE advisories
- License compliance review
- Supply chain risk assessment
Workflow
- Detect language ecosystem from manifest files
- Run appropriate scanner (see tool matrix)
- Check license compliance against project policy
- Identify outdated packages with known upgrade paths
- Assess supply chain risk indicators
- Report findings in structured format
Language Tool Matrix
| Ecosystem | Manifest | Lock File | Scanner Command |
|-----------|----------|-----------|-----------------|
| Node.js | package.json | package-lock.json | npm audit --json |
| Python | pyproject.toml / requirements.txt | uv.lock / requirements.txt | pip-audit --format=json |
| Rust | Cargo.toml | Cargo.lock | cargo audit --json |
| Go | go.mod | go.sum | govulncheck ./... |
Vulnerability Scan Checklist
- [ ] Run ecosystem-specific audit tool
- [ ] Cross-reference findings with NVD/GitHub Advisory Database
- [ ] Check transitive (indirect) dependencies
- [ ] Verify fix versions are available
- [ ] Confirm no yanked/deprecated packages in use
License Compliance Checklist
- [ ] Identify all dependency licenses
- [ ] Flag copyleft licenses (GPL, AGPL) in non-copyleft projects
- [ ] Flag unknown or missing license declarations
- [ ] Check for license compatibility with project license
- [ ] Document any license exceptions
Outdated Dependencies
- [ ] List packages with available major updates
- [ ] List packages with available security patches
- [ ] Identify unmaintained packages (no release in 12+ months)
- [ ] Check for deprecated packages with recommended replacements
Supply Chain Risk Indicators
- [ ] Low download count or recent ownership transfer
- [ ] Typosquatting potential (similar names to popular packages)
- [ ] Install scripts that execute arbitrary code
- [ ] Excessive permission requests
- [ ] Single-maintainer packages for critical functionality
Output Format
Vulnerability Table
| # | Package | Version | CVE | Severity | Fix Version | Direct/Transitive |
|---|---------|---------|-----|----------|-------------|-------------------|
| 1 | lodash | 4.17.20 | CVE-2021-23337 | High | 4.17.21 | Direct |
| 2 | py-yaml | 5.4.0 | CVE-2020-14343 | Critical | 5.4.1 | Transitive |
License Summary
| License | Count | Packages | Compatible |
|---------|-------|----------|------------|
| MIT | 42 | ... | Yes |
| GPL-3.0 | 1 | foo-lib | Review |
Risk Summary
- Critical CVEs: count requiring immediate action
- High CVEs: count to address before release
- License conflicts: count needing review
- Unmaintained: count packages with no recent activity
Related Skills
qte77/writing-readme
documentation
VerifiedTrustedCommunity
Generate or update README.md files across three scopes — repo (with project-type detection), account (GitHub user profile), and org (organization profile). Use when creating, updating, or aligning a README to org conventions.
1SKILL.mdUpdated Apr 19, 2026
qte77/auditing-readme
development
VerifiedTrustedCommunity
Audit README.md files against best practices for repos, accounts, or orgs. Detects missing sections, stale links, inconsistent formatting, and convention violations. Use when reviewing README quality across one or many repos.
1SKILL.mdUpdated Apr 19, 2026
qte77/researching-website-design
development
VerifiedTrustedCommunity
Analyzes industry websites for design patterns, layout, typography, and content strategies using first-principles thinking. Use when researching website design, UI patterns, or competitive design analysis.
1SKILL.mdUpdated Apr 18, 2026
qte77/auditing-website-usability
development
VerifiedTrustedCommunity
Audits website usability for UX optimization, covering forms, navigation, validation, and microcopy. Use when reviewing user experience, task completion flows, or interface friction points.
1SKILL.mdUpdated Apr 18, 2026