From penetration-tester
Audits Python project dependencies for known CVEs using pip-audit, detecting vulnerable direct and transitive packages, with fallback to pip list --outdated.
How this skill is triggered — by the user, by Claude, or both
Slash command
/penetration-tester:auditing-python-dependenciesThis skill is limited to the following tools:
These tools are removed from Claude's available pool while this skill is active:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
PyPI hosts north of 500,000 packages, with several thousand new
PyPI hosts north of 500,000 packages, with several thousand new
releases every day. The package-install model is identical to npm in
the relevant ways: a pip install resolves a transitive graph,
runs each package's setup.py (which executes arbitrary Python at
install time), and writes the result to your site-packages. The CVE
attack surface is therefore the same shape: known vulnerabilities,
maintainer-account takeovers, typosquats, and protestware.
The PyPA-blessed auditor is pip-audit. It queries the Open Source
Vulnerabilities (OSV) database (which mirrors PyPA's advisory feed
plus aggregated CVE / GHSA records) and reports per-package
vulnerable versions. pip-audit integrates with requirements.txt,
pyproject.toml, Pipfile.lock, and poetry.lock, so most Python
project layouts are first-class.
This skill wraps pip-audit, normalizes its severity vocabulary to
the shared Severity enum, and emits Findings in the canonical
penetration-tester schema. If pip-audit isn't installed on the
host, the skill falls back to pip list --outdated and emits
INFO-level findings recommending the operator install pip-audit
for accurate vulnerability detection.
| Finding | Severity | Threshold | Affected control |
|---|---|---|---|
| Critical CVE in installed package | CRITICAL | OSV severity band corresponds to CVSS ≥ 9.0 | CWE-1104 |
| High CVE in installed package | HIGH | OSV severity band corresponds to CVSS 7.0–8.9 | CWE-1104 |
| Medium CVE in installed package | MEDIUM | OSV severity band corresponds to CVSS 4.0–6.9 | CWE-1104 |
| Low CVE in installed package | LOW | OSV severity band corresponds to CVSS 0.1–3.9 | CWE-1104 |
| Vulnerable package with no patch | HIGH | finding has no fix_versions and severity ≥ medium | CWE-1395 |
| Outdated package (no CVE) | INFO | pip list --outdated reports a newer version | (operational) |
| pip-audit not installed | INFO | binary not on PATH; scanner fell back to pip list | (operational) |
| Audit DB unreachable | INFO | pip-audit network error reaching OSV | (operational) |
OSV is the upstream of record. pip-audit also consults the PyPA advisory database for Python-specific records that may not yet have a CVE assigned.
pip-audit installed (pip install pip-audit); skill falls back
to pip list --outdated if absentrequirements.txt,
pyproject.toml, Pipfile.lock, poetry.lockapi.osv.dev) and PyPI (pypi.org)Locate the project directory. The scanner auto-detects requirement files in order of preference:
poetry.lock (most precise — exact resolved tree)Pipfile.lockrequirements.txt (and requirements-*.txt siblings)pyproject.toml (PEP 621 dependencies)pip list (last resort)python3 ./scripts/audit_python.py /path/to/python-project
Options:
Usage: audit_python.py PATH [OPTIONS]
Options:
--output FILE Write findings to FILE (default: stdout)
--format FMT json | jsonl | markdown (default: markdown)
--min-severity SEV (default: info)
--requirement FILE Override auto-detection; specify a particular
requirements file (repeatable)
--include-dev Include development dependencies (default: prod
only when project layout allows the distinction)
--strict Treat pip-audit warnings as errors
CRITICAL / HIGH = block release.
MEDIUM / LOW = track but don't block; many Python advisories report edge-case theoretical issues that don't apply to your usage.
INFO = log only; e.g. "outdated but no known CVE" is information for your release cadence, not a security action.
For a vulnerable package with fix_versions:
Bump the version pin in your requirements file:
- requests==2.20.0
+ requests==2.31.0
Run pip install -r requirements.txt --upgrade (or
poetry lock --no-update && poetry update <pkg>).
Run the test suite. CVE fixes occasionally include behavioral changes you didn't expect.
Commit the lock file diff alongside the requirements bump.
For a vulnerable transitive dep (one you didn't declare directly):
Find the parent: pip show <vulnerable-package> lists the parents
in its "Required-by" line.
Check whether bumping the parent picks up the fix. pip index versions <parent> lists available versions.
If parent doesn't have a newer release that floors the vulnerable dep above the fix version, pin the transitive dep yourself in your requirements file. pip will use the more specific pin.
For a vulnerable package with NO fix available:
Subscribe to PyPA advisory notifications for that package.
If the vulnerability is exploitable in your usage, either replace the package or vendor + patch locally.
Document the exception in your security register with a re-evaluation date.
python3 ./scripts/audit_python.py . --min-severity high --format json --output audit.json
jq -e '. == []' audit.json || { echo "High/critical Python CVE — fix before merge"; exit 1; }
- name: pip-audit
run: pip install pip-audit
- name: Run audit
run: |
python3 plugins/security/penetration-tester/skills/auditing-python-dependencies/scripts/audit_python.py \
. --min-severity high --format markdown --output py-audit.md
mkdir -p evidence/CC7/
python3 ./scripts/audit_python.py . --include-dev --format json \
--output evidence/CC7/py-audit-$(date +%Y%m%d).json
--include-dev for SOC2: include dev/test deps so auditors see the
full surface, not just production.
JSON / JSONL / Markdown per lib/report.py. Exit codes: 0 clean, 1
high/critical, 2 error.
Each Finding includes:
id — synthesized as pypi-audit::<cve-id> (or pypi-audit::<ghsa> / pypi-audit::<pypa-id> when no CVE)severity — CRITICAL / HIGH / MEDIUM / LOW / INFOcategory — dependency-vulnerabilitysummary — short CVE / GHSA titleevidence — affected package, affected version, fix versions, advisory IDreferences — OSV URL, CVE URL, PyPA advisory URLpip list --outdated,
emits an INFO Finding flagging the degraded scan, and proceeds.references/THEORY.md — PyPI supply-chain history, OSV vs NVD vs
PyPA advisory scopes, why ecosystem-specific severity matters,
Python-specific install-time risks (setup.py execution, eager
dependency resolution), pip-audit vs Safety vs Snyk trade-offsreferences/PLAYBOOK.md — Per-toolchain remediation patterns
(pip + requirements.txt, poetry, pipenv, uv, conda), monorepo /
workspace scanning, override-equivalent patterns in Python
ecosystem, GitHub Dependabot ecosystem mapping, SOC2 evidence
retentionnpx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin penetration-tester5plugins reuse this skill
First indexed Jul 18, 2026
Audits dependencies for security vulnerabilities in Node.js, Python, Go, Ruby, Rust projects using npm audit, pip-audit, govulncheck, bundle audit; includes fixes and verification.
Scans project dependencies for known CVEs and security vulnerabilities across npm, pip, cargo, and other ecosystems. Supports severity filtering and auto-fix.
Audits project dependencies for CVEs using detected package manager, reports vulnerabilities with installed/fixed versions and exact upgrade commands. Includes auto-fix and banned-packages check.