Skill

dependency-auditor

CVE scanning, freshness analysis, and licensing audit of project dependencies. Trigger: "audit dependencies", "check vulnerabilities", "CVE scan", "license check".

From sovereign-architect

Install

Run in your terminal

npx claudepluginhub javimontano/mao-sovereign-architect

Tool Access

This skill is limited to using the following tools:

ReadGlobGrepBashAgent

Supporting Assets

View in Repository

evals/evals.json

examples/sample-output.md

prompts/use-case-prompts.md

references/body-of-knowledge.md

Skill Content

Dependency Auditor

Analyze project dependencies for known vulnerabilities, staleness, licensing conflicts, and supply chain risks.

Guiding Principle

"Your software is only as secure as its weakest dependency."

Procedure

Step 1 — Dependency Inventory

Parse all manifest files to build a complete dependency tree (direct + transitive).
Separate production dependencies from dev/test dependencies.
Identify pinning strategy: exact versions, ranges, or floating.
Flag dependencies without lock file entries as [INFERENCIA] risk.
Count total dependency surface area (direct count vs. transitive count).

Step 2 — Vulnerability Scan

Cross-reference dependencies against known CVE databases (NVD, GitHub Advisory, OSV).
Classify each vulnerability by CVSS score: Critical (9.0+), High (7.0-8.9), Medium (4.0-6.9), Low (<4.0).
Identify whether vulnerable code paths are reachable in the project.
Check for known exploits in the wild vs. theoretical vulnerabilities.
Document each finding with CVE ID, affected package, and remediation path [HECHO].

Step 3 — Freshness & Maintenance Analysis

Compare installed versions against latest available releases.
Calculate days-behind-latest for each dependency.
Check last publish date and commit activity on source repositories.
Flag abandoned packages (no commits >12 months) as [INFERENCIA] risk.
Identify dependencies with pending major version upgrades.

Step 4 — License Compliance

Extract license declarations from each package.
Classify licenses: permissive (MIT, Apache-2.0), copyleft (GPL, AGPL), proprietary, unknown.
Flag copyleft licenses in proprietary projects as compliance risk.
Identify packages with no declared license.
Produce a license compatibility matrix for the dependency tree.

Quality Criteria

Every CVE finding includes ID, severity, and remediation [HECHO]
Freshness metrics based on actual registry data, not assumptions
License classification follows SPDX identifier standards
Transitive dependencies are included, not just direct

Anti-Patterns

Running npm audit alone and calling it a day (misses transitive, ignores context)
Treating all vulnerabilities equally regardless of reachability
Ignoring dev dependencies (they run in CI and developer machines)
Assuming MIT means "no restrictions" without reading the actual terms

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

138.0k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

138.0k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

138.0k

Stats

Stars0

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Procedure

Step 1 — Dependency Inventory

Parse all manifest files to build a complete dependency tree (direct + transitive).

Separate production dependencies from dev/test dependencies.

Identify pinning strategy: exact versions, ranges, or floating.

Flag dependencies without lock file entries as [INFERENCIA] risk.

Count total dependency surface area (direct count vs. transitive count).

Step 2 — Vulnerability Scan

Cross-reference dependencies against known CVE databases (NVD, GitHub Advisory, OSV).

Classify each vulnerability by CVSS score: Critical (9.0+), High (7.0-8.9), Medium (4.0-6.9), Low (<4.0).

Identify whether vulnerable code paths are reachable in the project.

Check for known exploits in the wild vs. theoretical vulnerabilities.

Document each finding with CVE ID, affected package, and remediation path [HECHO].

Step 3 — Freshness & Maintenance Analysis

Compare installed versions against latest available releases.

Calculate days-behind-latest for each dependency.

Check last publish date and commit activity on source repositories.

Flag abandoned packages (no commits >12 months) as [INFERENCIA] risk.

Identify dependencies with pending major version upgrades.

Step 4 — License Compliance

Extract license declarations from each package.

Classify licenses: permissive (MIT, Apache-2.0), copyleft (GPL, AGPL), proprietary, unknown.

Flag copyleft licenses in proprietary projects as compliance risk.

Identify packages with no declared license.

Produce a license compatibility matrix for the dependency tree.