MCP.directory

dependency-auditor

by alirezarezvani
6
0
Source

Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.

Install

mkdir -p .claude/skills/dependency-auditor && curl -L -o skill.zip "https://mcp.directory/api/skills/download/2476" && unzip -o skill.zip -d .claude/skills/dependency-auditor && rm skill.zip

Installs to .claude/skills/dependency-auditor

About this skill

Dependency Auditor Skill

Automatic dependency vulnerability checking.

When I Activate

  • ✅ package.json modified
  • ✅ requirements.txt changed
  • ✅ Gemfile or pom.xml modified
  • ✅ User mentions dependencies or vulnerabilities
  • ✅ Before deployments
  • ✅ yarn.lock or package-lock.json changes

What I Check

Dependency Vulnerabilities

  • Known CVEs in packages
  • Outdated dependencies with security fixes
  • Malicious packages
  • License compatibility issues
  • Deprecated packages

Package Managers Supported

  • Node.js: npm, yarn, pnpm
  • Python: pip, pipenv, poetry
  • Ruby: bundler
  • Java: Maven, Gradle
  • Go: go modules
  • PHP: composer

Example Alerts

NPM Vulnerability

# You run: npm install lodash

# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
   https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to lodash@4.17.21 or higher

Python Vulnerability

# You modify requirements.txt: django==2.2.0

# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+

Multiple Vulnerabilities

# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
  - 3 CRITICAL
  - 2 HIGH
  - 2 MEDIUM
  - 1 LOW

Critical issues:
  1. axios@0.21.0 - SSRF vulnerability
     Fix: npm install axios@latest

  2. ajv@6.10.0 - Prototype pollution
     Fix: npm install ajv@^8.0.0

  3. node-fetch@2.6.0 - Information disclosure
     Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues

Automatic Actions

On Dependency Changes

1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes

Audit Commands

# Node.js
npm audit
npm audit --json  # Structured output

# Python
pip-audit
safety check

# Ruby
bundle audit

# Java (Maven)
mvn dependency-check:check

Severity Classification

CRITICAL 🚨

  • Remote code execution
  • SQL injection
  • Authentication bypass
  • Publicly exploitable

HIGH ⚠️

  • Cross-site scripting
  • Denial of service
  • Information disclosure
  • Wide attack surface

MEDIUM 📋

  • Limited impact vulnerabilities
  • Requires specific conditions
  • Difficult to exploit

LOW 💡

  • Minor security improvements
  • Best practice violations
  • Minimal risk

Fix Strategies

Automatic Updates

# Safe automatic fixes
npm audit fix

# May include breaking changes
npm audit fix --force

Manual Updates

# Check what will change
npm outdated

# Update specific package
npm update lodash

# Major version update
npm install lodash@latest

Alternative Packages

Vulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]

Integration with CI/CD

Block Deployments

# .github/workflows/security.yml
- name: Dependency audit
  run: |
    npm audit --audit-level=high
    # Fails if HIGH or CRITICAL found

Scheduled Audits

# Weekly dependency check
on:
  schedule:
    - cron: '0 0 * * 0'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm audit

Sandboxing Compatibility

Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

Sandbox config:

{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}

License Checking

I also check license compatibility:

⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative

Best Practices

  1. Regular audits: Run weekly or on every dependency change
  2. Update frequently: Keep dependencies current
  3. Review breaking changes: Test before major updates
  4. Pin versions: Use exact versions in production
  5. Audit lock files: Commit and audit lock files

Related Tools

  • security-auditor skill: Code vulnerability detection
  • @architect sub-agent: Dependency strategy
  • /review command: Pre-deployment security check

More by alirezarezvani

View all skills by alirezarezvani

senior-architect

alirezarezvani

Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. Includes architecture diagram generation, system design patterns, tech stack decision frameworks, and dependency analysis. Use when designing system architecture, making technical decisions, creating architecture diagrams, evaluating trade-offs, or defining integration patterns.

170129

content-creator

alirezarezvani

Create SEO-optimized marketing content with consistent brand voice. Includes brand voice analyzer, SEO optimizer, content frameworks, and social media templates. Use when writing blog posts, creating social media content, analyzing brand voice, optimizing SEO, planning content calendars, or when user mentions content creation, brand voice, SEO optimization, social media marketing, or content strategy.

11619

cold-email

alirezarezvani

When the user wants to write, improve, or build a sequence of B2B cold outreach emails to prospects who haven't asked to hear from them. Use when the user mentions 'cold email,' 'cold outreach,' 'prospecting emails,' 'SDR emails,' 'sales emails,' 'first touch email,' 'follow-up sequence,' or 'email prospecting.' Also use when they share an email draft that sounds too sales-y and needs to be humanized. Distinct from email-sequence (lifecycle/nurture to opted-in subscribers) — this is unsolicited outreach to new prospects. NOT for lifecycle emails, newsletters, or drip campaigns (use email-sequence).

3713

content-trend-researcher

alirezarezvani

Advanced content and topic research skill that analyzes trends across Google Analytics, Google Trends, Substack, Medium, Reddit, LinkedIn, X, blogs, podcasts, and YouTube to generate data-driven article outlines based on user intent analysis

10913

ceo-advisor

alirezarezvani

Executive leadership guidance for strategic decision-making, organizational development, and stakeholder management. Includes strategy analyzer, financial scenario modeling, board governance frameworks, and investor relations playbooks. Use when planning strategy, preparing board presentations, managing investors, developing organizational culture, making executive decisions, or when user mentions CEO, strategic planning, board meetings, investor updates, organizational leadership, or executive strategy.

8413

content-humanizer

alirezarezvani

Makes AI-generated content sound genuinely human — not just cleaned up, but alive. Use when content feels robotic, uses too many AI clichés, lacks personality, or reads like it was written by committee. Triggers: 'this sounds like AI', 'make it more human', 'add personality', 'it feels generic', 'sounds robotic', 'fix AI writing', 'inject our voice'. NOT for initial content creation (use content-production). NOT for SEO optimization (use content-production Mode 3).

359

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
Security AuditSecurity Audit

Security Audit analyzes Node.js dependencies for vulnerabilities using npm-audit-report, delivering actionable security

511 tools
Code Audit (Ollama)Code Audit (Ollama)

Scan your website for viruses and vulnerabilities with Code Audit (Ollama). Get a comprehensive site scanner virus check

10 tools
RepomixRepomix

Optimize your codebase for AI with Repomix—transform, compress, and secure repos for easier analysis with modern AI tool

22,2988 tools
Axe AccessibilityAxe Accessibility

Test website accessibility and ensure WCAG compliance with Axe Accessibility, a web accessibility checker with detailed

786 tools
AgentKits MemoryAgentKits Memory

AgentKits Memory — local, persistent memory for AI coding assistants. On-premise SQLite with optional vector search for

550 tools
ClickUpClickUp

Integrate ClickUp with powerful API tools to manage tasks, docs, and checklists from conversations using Node.js resourc

420 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.