Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sd0xdev/dep-audit

Name: dep-audit
Author: sd0xdev

skills/dep-audit/SKILL.md

npx skillsauth add sd0xdev/sd0x-dev-flow dep-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Dependency Audit

Trigger

Keywords: dep audit, dependency audit, security audit dependencies, dep-audit

When NOT to Use

OWASP code review (use /codex-security)
Code review (use /codex-review-fast)
General security review (use /codex-security)

Workflow Steps

| Step | Goal | Safety | |------|------|--------| | audit | Scan dependencies for vulnerabilities | read-only |

Failure behavior: report-all

Task

Arguments

$ARGUMENTS

--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate
--fix — Attempt automatic fix

Step 1: Check for audit script

Use Glob to check if .claude/scripts/dep-audit.sh exists in the project root.

Found → run: bash .claude/scripts/dep-audit.sh $ARGUMENTS
- If script succeeds, use its output and skip to the Output section.
- If script fails, treat as a real audit failure (do not silently fallback).
NOT found → skip to Step 2 (do NOT attempt to run the script).

Step 2: Fallback (no audit script)

Detect the project ecosystem and run the audit manually.

Ecosystem detection (check project root for manifest files):

| Manifest | Ecosystem | Audit Command | Fix Command | |----------|-----------|---------------|-------------| | package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --audit-level {LEVEL} | pnpm audit --fix | | package.json + yarn.lock | Node (yarn) | yarn audit --level {LEVEL} | yarn audit --fix or npx yarn-audit-fix | | package.json | Node (npm) | npm audit --audit-level={LEVEL} | npm audit fix | | pyproject.toml | Python | pip-audit or safety check | pip-audit --fix | | Cargo.toml | Rust | cargo audit | cargo audit fix | | go.mod | Go | govulncheck ./... | (manual fix) | | build.gradle | Java | ./gradlew dependencyCheckAnalyze | (manual fix) |

Default {LEVEL} is moderate unless --level argument is provided.

If --fix is specified, run the fix command for the detected ecosystem after audit. If no recognized manifest file exists, report an error.

Output

## Audit Results

| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |

## Vulnerability Details

### [severity] Issue Title

- **Package**: package-name
- **Fix**: Available / Not available

## Gate

✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities

Examples

/dep-audit
/dep-audit --level high
/dep-audit --fix

sd0xdev/dep-audit

skills/dep-audit/SKILL.md

Audit dependency security risks

144 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sd0xdev/sd0x-dev-flow dep-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 4:07 AM99.6s1 file scanned

SKILL.md

name:: dep-audit
description:: Audit dependency security risks
allowed-tools:: Bash(yarn audit *), Bash(npm audit *), Bash(pnpm audit *), Bash(npx *), Bash(bash *), Read, Glob

Dependency Audit

Trigger

Keywords: dep audit, dependency audit, security audit dependencies, dep-audit

When NOT to Use

OWASP code review (use /codex-security)
Code review (use /codex-review-fast)
General security review (use /codex-security)

Workflow Steps

| Step | Goal | Safety | |------|------|--------| | audit | Scan dependencies for vulnerabilities | read-only |

Failure behavior: report-all

Task

Arguments

$ARGUMENTS

--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate
--fix — Attempt automatic fix

Step 1: Check for audit script

Use Glob to check if .claude/scripts/dep-audit.sh exists in the project root.

Found → run: bash .claude/scripts/dep-audit.sh $ARGUMENTS
- If script succeeds, use its output and skip to the Output section.
- If script fails, treat as a real audit failure (do not silently fallback).
NOT found → skip to Step 2 (do NOT attempt to run the script).

Step 2: Fallback (no audit script)

Detect the project ecosystem and run the audit manually.

Ecosystem detection (check project root for manifest files):

Default {LEVEL} is moderate unless --level argument is provided.

If --fix is specified, run the fix command for the detected ecosystem after audit. If no recognized manifest file exists, report an error.

Output

## Audit Results

| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |

## Vulnerability Details

### [severity] Issue Title

- **Package**: package-name
- **Fix**: Available / Not available

## Gate

✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities

Examples

/dep-audit
/dep-audit --level high
/dep-audit --fix

Related Skills

sd0xdev/zh-tw

documentation

VerifiedTrustedCommunity

Rewrite the previous reply in Traditional Chinese

147SKILL.mdUpdated Apr 28, 2026

sd0xdev/watch-ci

development

VerifiedTrustedCommunity

Monitor GitHub Actions CI runs until completion. Use when: watching CI after push, checking build status, monitoring PR checks, waiting for CI completion, user says 'watch CI', 'check CI', 'CI status', 'monitor build', or /watch-ci. Not for: pushing code (use push-ci), creating PRs (use create-pr). Output: per-run verdict (pass/fail/timeout).

147SKILL.mdUpdated Apr 28, 2026

sd0xdev/verify

development

VerifiedTrustedCommunity

Verification loop — lint -> typecheck -> unit -> integration -> e2e

147SKILL.mdUpdated Apr 28, 2026

sd0xdev/update-docs

development

VerifiedTrustedCommunity

Research current code state then update corresponding docs, ensuring docs stay in sync with code.

147SKILL.mdUpdated Apr 28, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sd0xdev/sd0x-dev-flow.git

# Copy into Claude Code skills folder (global)
cp -r sd0x-dev-flow/skills/dep-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sd0xdev/sd0x-dev-flow

144 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT