Dependency & Supply-Chain Risk Gate — Catch Vulnerable, Outdated & Typosquatted Packages Before They Ship
Audit your project's dependencies for supply-chain risk before they ship. Detects the ecosystem, runs the right vulnerability scanners against live advisory data, and adds the checks tooling misses — outdated or abandoned packages, typosquatted or suspicious names, risky install scripts, and license conflicts — then returns a prioritized fix list and a PASS / REVIEW / BLOCK verdict. It's npm audit with triage and judgment on top.
- Audit a repo's dependencies for known vulnerabilities before a release.
- Review a lockfile or a dependency-bump PR before merging it.
- Catch abandoned, deprecated, or typosquatted packages in your tree.
$12
· or 60 creditsSecure checkout via Stripe
Included in download
- Audit a repo's dependencies for known vulnerabilities before a release.
- Review a lockfile or a dependency-bump PR before merging it.
- Ready for Works with Claude Code
Sample input
Audit the dependencies in this Node project — are we safe to ship?
Sample output
A risk report: BLOCK on a high-severity prototype-pollution CVE in a transitive lodash version (safe minor-bump fix, top of the fix list); REVIEW a direct dependency whose repo was archived three years ago (plan a replacement); and a flag that a package named "reqeusts" may be a typosquat of "requests" — worth verifying, not assumed malicious. Verdict: BLOCK until the lodash fix lands.
Dependency & Supply-Chain Risk Gate — Catch Vulnerable, Outdated & Typosquatted Packages Before They Ship
Audit your project's dependencies for supply-chain risk before they ship. Detects the ecosystem, runs the right vulnerability scanners against live advisory data, and adds the checks tooling misses — outdated or abandoned packages, typosquatted or suspicious names, risky install scripts, and license conflicts — then returns a prioritized fix list and a PASS / REVIEW / BLOCK verdict. It's npm audit with triage and judgment on top.
$12
· or 60 creditsSecure checkout via Stripe
Included in download
- Audit a repo's dependencies for known vulnerabilities before a release.
- Review a lockfile or a dependency-bump PR before merging it.
- Ready for Works with Claude Code
- Instant install
Sample input
Audit the dependencies in this Node project — are we safe to ship?
Sample output
A risk report: BLOCK on a high-severity prototype-pollution CVE in a transitive lodash version (safe minor-bump fix, top of the fix list); REVIEW a direct dependency whose repo was archived three years ago (plan a replacement); and a flag that a package named "reqeusts" may be a typosquat of "requests" — worth verifying, not assumed malicious. Verdict: BLOCK until the lodash fix lands.
About This Skill
Most of a project's risk isn't in code the team wrote — it's in the hundreds of transitive packages it pulled in: known CVEs, abandoned libraries, a typosquatted name one character off a popular package, an install script doing something it shouldn't, or a copyleft license in a proprietary product. This gate orchestrates the right tooling and adds the human-judgment layer scanners can't: • Detects the ecosystem and lockfiles (npm/pnpm/yarn, pip/Poetry, Go, Cargo, Bundler, Maven, and more) • Runs the appropriate scanner against live advisory data — never stale memory of CVEs • Triages by severity × reachability × fix availability, flagging breaking-change fixes • Flags outdated, deprecated, and abandoned packages • Surfaces supply-chain signals tooling misses — typosquatting, low-trust packages, risky install scripts, non-registry sources, ownership changes — flagged to verify, never accused • Checks license risk (informational, not legal advice) • Returns a prioritized fix list and a PASS / REVIEW / BLOCK verdict It catches the fixable critical that actually matters and tells you the one upgrade to make first — not a wall of raw audit output.
Use Cases
- Audit a repo's dependencies for known vulnerabilities before a release.
- Review a lockfile or a dependency-bump PR before merging it.
- Catch abandoned, deprecated, or typosquatted packages in your tree.
- Check license risk across your dependencies for a proprietary project.
Known Limitations
Findings reflect the advisory data and tooling available at run time and aren't a guarantee of safety; this doesn't replace a full security audit or a dedicated SCA platform. Reachability is a best-effort judgment, and license notes are informational, not legal advice. Re-run after any dependency change.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/dependency-supply-chain-risk-gate-catch-vulnerable-outdated-typosquatted-packages-before-they-ship -o /tmp/dependency-supply-chain-risk-gate-catch-vulnerable-outdated-typosquatted-packages-before-they-ship.zip && unzip -o /tmp/dependency-supply-chain-risk-gate-catch-vulnerable-outdated-typosquatted-packages-before-they-ship.zip -d ~/.claude/skills && rm /tmp/dependency-supply-chain-risk-gate-catch-vulnerable-outdated-typosquatted-packages-before-they-ship.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
No special permissions declared or detected
Tags
Works with Claude Code, Cursor, Codex CLI, Gemini CLI, and other SKILL.md-compatible agents. Covers npm/pnpm/yarn, pip/Poetry, Go, Cargo, Bundler, Maven/Gradle, and more.
Creator
PubsProToolkit builds adversarial "gate" skills for AI agents — they catch problems before your output ships, instead of just generating more. From code, security, and infrastructure to content, hiring, contracts, and finance. Built by a CMPP-certified, PhD medical writer who brings regulated-industry rigor to every domain.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
sast-configuration
Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.
skill-router-2
Automatically detect, load, and stack the perfect skills combo for any user request.
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
ai-automation-qa-pack
Professional QA & UAT documentation generator for AI automation agencies and complex agent deployments.