From leyline
Detects known-bad versions in Python dependencies, audits lockfiles like uv.lock, scans artifacts, and provides incident response patterns for supply chain security.
npx claudepluginhub athola/claude-night-market --plugin leylineThis skill uses the workspace's default tool permissions.
Supply chain attacks bypass traditional code review by compromising upstream
Enforces C++ Core Guidelines for writing, reviewing, and refactoring modern C++ code (C++17+), promoting RAII, immutability, type safety, and idiomatic practices.
Provides patterns for shared UI in Compose Multiplatform across Android, iOS, Desktop, and Web: state management with ViewModels/StateFlow, navigation, theming, and performance.
Implements Playwright E2E testing patterns: Page Object Model, test organization, configuration, reporters, artifacts, and CI/CD integration for stable suites.
Supply chain attacks bypass traditional code review by compromising upstream dependencies. This skill provides patterns for detecting, preventing, and responding to compromised packages in Python ecosystems.
The blocklist lives at ${CLAUDE_SKILL_DIR}/known-bad-versions.json.
It is consumed by:
make supply-chain-scan — CI/local scanning target{
"package_name": [{
"versions": ["x.y.z"],
"date": "YYYY-MM-DD",
"description": "What the attack did",
"indicators": ["files or patterns to search for"],
"source": "advisory URL",
"severity": "critical|high|medium"
}]
}
${CLAUDE_SKILL_DIR}/known-bad-versions.json!=x.y.z) to affected pyproject.toml filesdocs/dependency-audit.md under Supply Chain Incidentsmake supply-chain-scan to verify detection works# Scan uv.lock files for a specific compromised version
grep -r "package_name.*version" --include="uv.lock" /path/to/projects
# Search for malicious artifacts
find /path/to/projects -name "suspicious_file.pth" 2>/dev/null
# Check installed versions in virtualenvs
find /path/to/projects -path "*/.venv/lib/*/PACKAGE*/METADATA" \
-exec grep "^Version:" {} +
uv.lock includes SHA256 hashes for every package. If a package is
re-published with different content under the same version, uv sync
will fail with a hash mismatch. This is your strongest automatic defense.
| Layer | Tool | Catches |
|---|---|---|
| Lockfile hashes | uv.lock SHA256 | Tampered re-published versions |
| Version exclusions | pyproject.toml != | Known-bad versions on fresh resolve |
| SessionStart hook | sanctum hook | Per-session warning for compromised deps |
| CI scanning | OSV + Safety | CVE database + advisory matching |
| Artifact scanning | make supply-chain-scan | Malicious files (.pth, scripts) |