socket-sca
Socket SCA
This skill performs software composition analysis (SCA) for npm and pip projects using the Socket.dev socket CLI, identifying supply chain risks such as install-script abuse, typosquatting, obfuscated code, protestware, and malicious packages, then mapping findings to CWE and OWASP Top 10:2021 standards. Where the CLI is unavailable, ten structured manual checks provide partial coverage.
When to Use
- When the user asks to "scan dependencies for supply chain risks" or "run Socket"
- When the user mentions "SCA", "dependency audit", or "supply chain analysis"
- When reviewing
package.json,package-lock.json,requirements.txt, orPipfilebefore deployment - When a pull request adds or upgrades dependencies and a security check is requested
- When the user asks to detect typosquatting, install scripts, or malicious packages
- When onboarding a third-party library and due diligence is needed
- When investigating a suspected compromised or protestware package
When NOT to Use
More from kalshamsi/claude-security-skills
pci-dss-audit
Use when auditing code for PCI-DSS v4.0 compliance, reviewing cardholder data handling, checking credit-card storage and transmission, hunting PAN logging, or answering \"is this code PCI-compliant?\".
2crypto-audit
Use when reviewing code for weak encryption, hardcoded cryptographic keys, insecure TLS/SSL configuration, broken hashing, bad randomness, or any cryptographic implementation concern — regardless of language.
2bandit-sast
Use when scanning Python code for security vulnerabilities, running Bandit, performing Python SAST, auditing Python security bugs, or reviewing Python source for injection, weak crypto, or insecure deserialization.
2security-headers-audit
Use when reviewing HTTP security headers, checking a Content-Security-Policy, auditing CORS or HSTS configuration, evaluating X-Frame-Options or Permissions-Policy, inspecting header middleware, or hardening a web application's response headers.
2devsecops-pipeline
Generate GitHub Actions security CI/CD pipelines. Use when asked to generate security pipeline, DevSecOps workflow, CI/CD security, GitHub Actions security, create security workflow, add security scanning to CI, or set up automated security checks.
2security-test-generator
Use when writing security tests for a web application, building a vulnerability regression suite, creating pentest-style automated tests, generating runnable injection/XSS/auth test code, or adding security coverage to an existing test suite.
2