Skills

supply-chain-risk-auditor

Installation
Summary

Identifies high-risk dependencies vulnerable to exploitation or takeover through systematic supply chain analysis.

  • Evaluates all project dependencies against six risk criteria: single maintainers, unmaintained status, low popularity, high-risk features (FFI, deserialization), past CVEs, and missing security contacts
  • Uses the gh CLI tool to query accurate GitHub metrics (stars, open issues, maintainer info) for each dependency
  • Generates a structured markdown report with flagged high-risk dependencies, suggested alternatives, risk factor counts, and actionable recommendations
  • Designed for pre-audit scoping and supply chain attack surface assessment, not active vulnerability scanning
SKILL.md

Supply Chain Risk Auditor

Activates when the user says "audit this project's dependencies".

When to Use

  • Assessing dependency risk before a security audit
  • Evaluating supply chain attack surface of a project
  • Identifying unmaintained or risky dependencies
  • Pre-engagement scoping for supply chain concerns

When NOT to Use

  • Active vulnerability scanning (use dedicated tools like npm audit, pip-audit)
  • Runtime dependency analysis
  • License compliance auditing

Purpose

Related skills

More from trailofbits/skills

Installs
3.0K
Repository
trailofbits/skills
GitHub Stars
5.1K
First Seen
Feb 26, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn