MCP.directory

dependency-auditor

by alirezarezvani
6
1
Source

Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.

Install

mkdir -p .claude/skills/dependency-auditor && curl -L -o skill.zip "https://mcp.directory/api/skills/download/2476" && unzip -o skill.zip -d .claude/skills/dependency-auditor && rm skill.zip

Installs to .claude/skills/dependency-auditor

About this skill

Dependency Auditor Skill

Automatic dependency vulnerability checking.

When I Activate

  • ✅ package.json modified
  • ✅ requirements.txt changed
  • ✅ Gemfile or pom.xml modified
  • ✅ User mentions dependencies or vulnerabilities
  • ✅ Before deployments
  • ✅ yarn.lock or package-lock.json changes

What I Check

Dependency Vulnerabilities

  • Known CVEs in packages
  • Outdated dependencies with security fixes
  • Malicious packages
  • License compatibility issues
  • Deprecated packages

Package Managers Supported

  • Node.js: npm, yarn, pnpm
  • Python: pip, pipenv, poetry
  • Ruby: bundler
  • Java: Maven, Gradle
  • Go: go modules
  • PHP: composer

Example Alerts

NPM Vulnerability

# You run: npm install lodash

# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: [email protected]
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
   https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to [email protected] or higher

Python Vulnerability

# You modify requirements.txt: django==2.2.0

# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: [email protected]
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to [email protected]+

Multiple Vulnerabilities

# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
  - 3 CRITICAL
  - 2 HIGH
  - 2 MEDIUM
  - 1 LOW

Critical issues:
  1. [email protected] - SSRF vulnerability
     Fix: npm install axios@latest

  2. [email protected] - Prototype pollution
     Fix: npm install ajv@^8.0.0

  3. [email protected] - Information disclosure
     Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues

Automatic Actions

On Dependency Changes

1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes

Audit Commands

# Node.js
npm audit
npm audit --json  # Structured output

# Python
pip-audit
safety check

# Ruby
bundle audit

# Java (Maven)
mvn dependency-check:check

Severity Classification

CRITICAL 🚨

  • Remote code execution
  • SQL injection
  • Authentication bypass
  • Publicly exploitable

HIGH ⚠️

  • Cross-site scripting
  • Denial of service
  • Information disclosure
  • Wide attack surface

MEDIUM 📋

  • Limited impact vulnerabilities
  • Requires specific conditions
  • Difficult to exploit

LOW 💡

  • Minor security improvements
  • Best practice violations
  • Minimal risk

Fix Strategies

Automatic Updates

# Safe automatic fixes
npm audit fix

# May include breaking changes
npm audit fix --force

Manual Updates

# Check what will change
npm outdated

# Update specific package
npm update lodash

# Major version update
npm install lodash@latest

Alternative Packages

Vulnerable: [email protected] (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]

Integration with CI/CD

Block Deployments

# .github/workflows/security.yml
- name: Dependency audit
  run: |
    npm audit --audit-level=high
    # Fails if HIGH or CRITICAL found

Scheduled Audits

# Weekly dependency check
on:
  schedule:
    - cron: '0 0 * * 0'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm audit

Sandboxing Compatibility

Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

Sandbox config:

{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}

License Checking

I also check license compatibility:

⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: [email protected]
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative

Best Practices

  1. Regular audits: Run weekly or on every dependency change
  2. Update frequently: Keep dependencies current
  3. Review breaking changes: Test before major updates
  4. Pin versions: Use exact versions in production
  5. Audit lock files: Commit and audit lock files

Related Tools

  • security-auditor skill: Code vulnerability detection
  • @architect sub-agent: Dependency strategy
  • /review command: Pre-deployment security check

More by alirezarezvani

View all skills by alirezarezvani

senior-architect

alirezarezvani

Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. Includes architecture diagram generation, system design patterns, tech stack decision frameworks, and dependency analysis. Use when designing system architecture, making technical decisions, creating architecture diagrams, evaluating trade-offs, or defining integration patterns.

444257

finance-skills

alirezarezvani

Production-ready financial analyst skill with ratio analysis, DCF valuation, budget variance analysis, and rolling forecast construction. 4 Python tools (all stdlib-only). Works with Claude Code, Codex CLI, and OpenClaw.

12071

content-creator

alirezarezvani

Create SEO-optimized marketing content with consistent brand voice. Includes brand voice analyzer, SEO optimizer, content frameworks, and social media templates. Use when writing blog posts, creating social media content, analyzing brand voice, optimizing SEO, planning content calendars, or when user mentions content creation, brand voice, SEO optimization, social media marketing, or content strategy.

14134

ad-creative

alirezarezvani

When the user needs to generate, iterate, or scale ad creative for paid advertising. Use when they say 'write ad copy,' 'generate headlines,' 'create ad variations,' 'bulk creative,' 'iterate on ads,' 'ad copy validation,' 'RSA headlines,' 'Meta ad copy,' 'LinkedIn ad,' or 'creative testing.' This is pure creative production — distinct from paid-ads (campaign strategy). Use ad-creative when you need the copy, not the campaign plan.

8132

cold-email

alirezarezvani

When the user wants to write, improve, or build a sequence of B2B cold outreach emails to prospects who haven't asked to hear from them. Use when the user mentions 'cold email,' 'cold outreach,' 'prospecting emails,' 'SDR emails,' 'sales emails,' 'first touch email,' 'follow-up sequence,' or 'email prospecting.' Also use when they share an email draft that sounds too sales-y and needs to be humanized. Distinct from email-sequence (lifecycle/nurture to opted-in subscribers) — this is unsolicited outreach to new prospects. NOT for lifecycle emails, newsletters, or drip campaigns (use email-sequence).

6726

content-trend-researcher

alirezarezvani

Advanced content and topic research skill that analyzes trends across Google Analytics, Google Trends, Substack, Medium, Reddit, LinkedIn, X, blogs, podcasts, and YouTube to generate data-driven article outlines based on user intent analysis

12325

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

1,6881,430

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

1,2721,337

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

1,5471,153

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

1,359809

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,269732

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

1,498687

Related MCP Servers

Browse all servers
Security AuditSecurity Audit

Security Audit analyzes Node.js dependencies for vulnerabilities using npm-audit-report, delivering actionable security

511 tools
Code Audit (Ollama)Code Audit (Ollama)

Scan your website for viruses and vulnerabilities with Code Audit (Ollama). Get a comprehensive site scanner virus check

10 tools
RepomixRepomix

Optimize your codebase for AI with Repomix—transform, compress, and secure repos for easier analysis with modern AI tool

22,2988 tools
Axe AccessibilityAxe Accessibility

Test website accessibility and ensure WCAG compliance with Axe Accessibility, a web accessibility checker with detailed

786 tools
AgentKits MemoryAgentKits Memory

AgentKits Memory — local, persistent memory for AI coding assistants. On-premise SQLite with optional vector search for

550 tools
ClickUpClickUp

Integrate ClickUp with powerful API tools to manage tasks, docs, and checklists from conversations using Node.js resourc

420 tools