Back to Skills
Skill

dependency-audit

Scan dependencies for vulnerabilities, outdated packages, license conflicts, and supply chain risks. Use when the user says "audit dependencies", "check vulnerabilities", "update packages", "npm audit", "supply chain security".

From project-orchestrator
Install
1
Run in your terminal
$
npx claudepluginhub vivekmano27/agent-orchestrator --plugin project-orchestrator
Tool Access

This skill is limited to using the following tools:

ReadBashGrepGlob
Skill Content

Dependency Audit Skill

Scan and secure project dependencies. Skip ecosystems not present in project-config.md.

Audit Process

  1. Read project-config.md to determine which ecosystems are present
  2. Run vulnerability scan per ecosystem (commands below)
  3. Check for outdated packages with known CVEs
  4. Review license compatibility
  5. Identify abandoned/unmaintained packages
  6. Check for supply chain risks (unpinned deps, missing lockfiles, suspicious install scripts)
  7. Output structured findings table

Commands by Ecosystem (with structured JSON output)

EcosystemAudit CommandOutput
Node.jsnpm audit --json > npm-audit.jsonJSON with CVE details
Pythonpip-audit -f json -o pip-audit.jsonJSON with CVE details
Gogovulncheck -json ./... > govulncheck.jsonJSON (includes reachability analysis)
Rustcargo audit --json > cargo-audit.jsonJSON with advisory details
Multi-ecosystemtrivy fs --scanners vuln --format json --output trivy-deps.json .JSON covering all ecosystems

Note: govulncheck already performs reachability analysis — it only reports vulnerabilities in code paths that are actually called. Flag this as a strength when presenting Go findings.

Structured Output Table

Report findings in this format for security-auditor to aggregate:

## Dependency Audit Results

| Package | Ecosystem | Current | Vulnerability | CVE | Severity | Fix Version | Reachable? |
|---|---|---|---|---|---|---|---|
| express | npm | 4.17.1 | Prototype pollution | CVE-2024-XXXX | HIGH | 4.18.0 | Yes |
| requests | pip | 2.28.0 | SSRF via redirect | CVE-2023-XXXX | MEDIUM | 2.31.0 | Unknown |

Supply Chain Checks

  • Lockfile exists and is committed (package-lock.json, yarn.lock, Pipfile.lock, go.sum)
  • No unpinned dependencies ("^", "~", "*" in package.json ranges)
  • Check for suspicious postinstall/preinstall scripts in dependencies
  • Registries point to official sources (no untrusted private registries in .npmrc/pip.conf)
  • Docker base images pinned to specific SHA or version tag (not :latest)

Severity Mapping

Use the CVE's CVSS score directly. If the vulnerable code path is NOT reachable (govulncheck confirms), downgrade one level:

  • CRITICAL (CVSS 9.0+) unreachable → report as HIGH
  • HIGH (CVSS 7.0-8.9) unreachable → report as MEDIUM
Similar Skills
Stats
Parent Repo Stars0
Parent Repo Forks0
Last CommitMar 15, 2026
Actions
View SourceView PluginView on GitHubView README