ragnarok22/dependency-risk-audit
skills/dependency-risk-audit/SKILL.md
Review Python dependencies for known security advisories, stale version pins, and unsafe upgrade paths. Use when users ask for dependency security reviews, requirements or lockfile audits, upgrade planning, pre-release risk checks, or remediation prioritization for Python projects.
$ install --global
skillsauthnpx skillsauth add ragnarok22/agent-skills dependency-risk-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 17, 2026, 5:11 AM113.6s3 files scanned
SKILL.md
- name:
- dependency-risk-audit
- description:
- Review Python dependencies for known security advisories, stale version pins, and unsafe upgrade paths. Use when users ask for dependency security reviews, requirements or lockfile audits, upgrade planning, pre-release risk checks, or remediation prioritization for Python projects.
Dependency Risk Audit
Run a repeatable dependency-risk audit for Python projects and return a prioritized remediation plan.
Workflow
Step 1: Identify dependency source of truth
- Detect package manager and files in this order:
poetry.lock+pyproject.tomluv.lock+pyproject.tomlPipfile.lock+Pipfilerequirements*.txtand optionalconstraints*.txt
- Prefer lockfiles for resolved versions.
- Record Python runtime constraint from:
pyproject.toml(requires-python).python-version- CI config (if present)
Step 2: Build dependency inventory
Create an inventory with:
- package name
- installed/resolved version
- dependency type (
directortransitive) - pin style (
exact,range,unbounded) - marker constraints (Python version, platform markers)
If direct/transitive split is unavailable from project files, state that limitation explicitly.
Step 3: Run security advisory checks
Prefer pip-audit. If unavailable, fall back to lockfile/static analysis and mark advisories as partially evaluated.
Common commands:
# requirements.txt projects
pip-audit -r requirements.txt -f json
# active environment
pip-audit -f json
For non-requirements workflows, export to requirements format first when possible, then audit that export.
For each finding, capture:
- advisory ID (for example
PYSEC-*,CVE-*,GHSA-*) - package + affected version
- fixed version range
- severity (if available)
- exploit or impact notes (if available)
Step 4: Detect stale pins
Classify each direct dependency:
current: no newer release in same majorminor/patch stale: behind within same majormajor stale: newer major availableunknown: latest data unavailable
Flag stale pins as higher risk when:
- package is internet-facing, auth-related, crypto-related, or framework/core runtime
- current version is multiple majors behind
- package has a recent advisory history
Step 5: Evaluate upgrade-path safety
For each dependency requiring change, assess upgrade risk:
low: patch/minor upgrade, no known breaking changesmedium: minor upgrade with behavior/config changeshigh: major upgrade, Python-version jump, or resolver conflicts likely
Check these risk signals:
- major-version jump required to reach fixed secure version
- declared Python requirement of target version conflicts with project runtime
- conflicting upper bounds across dependencies
- framework-coupled libraries that typically require code migrations
When possible, propose a stepwise path:
- patch/minor upgrades first
- isolated major upgrades next
- framework/runtime upgrades last
Step 6: Produce the report
Return a markdown report using this structure:
## Dependency Risk Audit
Audit root: `<path>`
Dependency source: `<lockfile or manifest>`
Python runtime target: `<version/constraint>`
### Executive Summary
- Overall risk: [LOW|MEDIUM|HIGH|CRITICAL]
- Known advisories: X (Critical Y, High Z, ...)
- Stale direct dependencies: X (Major-stale Y)
- Unsafe upgrade paths: X
### Security Advisories
| Package | Version | Advisory | Severity | Fixed In | Notes |
| ------- | ------- | -------- | -------- | -------- | ----- |
### Stale Pins
| Package | Current | Latest | Drift Type | Risk Notes |
| ------- | ------- | ------ | ---------- | ---------- |
### Upgrade Path Risks
| Package | Current -> Target | Risk | Why Risky | Recommended Path |
| ------- | ----------------- | ---- | --------- | ---------------- |
### Prioritized Remediation Plan
1. ...
2. ...
3. ...
### Not Evaluated
- Item + reason
Scoring Guidance (optional)
If the user asks for a numeric score, start at 100 and deduct:
- Critical advisory:
-15 - High advisory:
-10 - Medium advisory:
-6 - Low advisory:
-3 - Major-stale direct dependency:
-4 - High-risk upgrade path:
-5
Floor at 0. Cap repeated deductions for the same package/advisory pair.
Remediation Loop
If the user asks for fixes:
- Address critical/high advisories first, prioritizing low-risk upgrades.
- Re-run audit steps 2-6.
- Report risk delta, unresolved blockers, and required code changes/tests.
Related Skills
ragnarok22/write-conventional-commit
development
VerifiedTrustedCommunity
Create Git commit messages that conform to Conventional Commits 1.0.0, including type/scope/description format, optional body, trailer-style footers, and explicit BREAKING CHANGE signaling. Use when users ask to draft commit messages, commit current changes, rewrite a commit message into conventional format, or enforce conventional commit standards in a repo.
4SKILL.mdUpdated May 17, 2026
ragnarok22/queryset-optimizer
development
VerifiedTrustedCommunity
Optimize Django ORM performance by detecting N+1 query patterns, missing `select_related`/`prefetch_related`, and likely index gaps. Run targeted static scans, optional runtime query capture, and produce a prioritized remediation plan with expected query-count impact. Use when users ask to speed up Django endpoints, reduce database hits, investigate slow views/serializers, or audit QuerySet efficiency before release.
4SKILL.mdUpdated May 17, 2026
ragnarok22/python-doctor
development
VerifiedTrustedCommunity
Audit Python codebases for security, performance, correctness, and architecture antipatterns. Run optional trusted runtime checks (syntax, tests, lint, typing) plus static rule scans, then output a 0-100 health score with actionable fixes. Use when users ask to inspect a Python project, run a Python health check, review backend code quality, or perform a pre-release audit.
4SKILL.mdUpdated May 17, 2026
ragnarok22/docker-doctor
development
VerifiedTrustedCommunity
Verify Dockerfiles and Docker Compose manifests for security issues, reliability risks, optimization opportunities, syntax errors, and misconfiguration before builds or deploys. Run deterministic checks (`scripts/verify-docker.sh`, `docker compose config -q`, optional `hadolint`) and produce a 0-100 health score with prioritized fixes. Use when users ask to validate Dockerfile(s), docker-compose/compose YAML files, harden container configuration, optimize image/runtime setup, debug configuration failures, or run a pre-deploy Docker audit.
4SKILL.mdUpdated May 17, 2026