← Back to Skills

Ghost Scan Deps

🌐Community
by ghostsecurity · vlatest · Repository

This tool scans project dependencies for vulnerable or outdated packages, helping developers proactively identify and mitigate security risks.

Install on your platform

We auto-selected Claude Code based on this skill’s supported platforms.

1

Run in terminal (recommended)

terminal
claude mcp add ghost-scan-deps npx -- -y @trustedskills/ghost-scan-deps
2

Or manually add to ~/.claude/settings.json

~/.claude/settings.json
{
  "mcpServers": {
    "ghost-scan-deps": {
      "command": "npx",
      "args": [
        "-y",
        "@trustedskills/ghost-scan-deps"
      ]
    }
  }
}

Requires Claude Code (claude CLI). Run claude --version to verify your install.

About This Skill

What it does

This skill, Ghost Scan Deps, performs Software Composition Analysis (SCA) scanning of project dependencies to identify vulnerable or outdated packages. It orchestrates a series of sub-agents to automate this process, including initializing a tool called Wraith, discovering dependency lockfiles within the repository, and generating a final scan report detailing potential security risks. The skill focuses on identifying exploitable vulnerabilities in project dependencies.

When to use it

  • When onboarding a new project and needing an initial security assessment of its dependencies.
  • As part of a continuous integration/continuous delivery (CI/CD) pipeline to proactively identify vulnerabilities during development.
  • During code reviews to ensure developers are aware of potential dependency-related risks.
  • To quickly assess the security posture of existing projects with known or suspected dependency issues.

Key capabilities

  • Wraith Initialization: Installs and configures the Wraith binary for vulnerability scanning.
  • Lockfile Discovery: Automatically identifies all relevant dependency lockfiles (e.g., go.mod, package-lock.json).
  • Vulnerability Scanning: Runs Wraith against each discovered lockfile to identify known vulnerabilities.
  • Exploitability Assessment: Analyzes identified candidates to determine their exploitability.
  • Report Generation: Creates a summary report detailing the scan findings.

Example prompts

  • "Run a security scan on this project."
  • "Scan dependencies for known vulnerabilities and provide a detailed report."
  • "Perform an SCA scan of the repository at the current working directory."

Tips & gotchas

  • The skill requires Git to determine short commit hashes; if run outside of a Git repository, it falls back to using the date as a substitute.
  • The initial setup step involves computing and storing several variables (scan_dir, cache_dir, skill_dir) which are essential for subsequent steps. Ensure these values are correctly stored and available to the agent.
  • This skill is an orchestrator; it relies on sub-agents and does not perform any of the core scanning work itself.
View Repository →

Tags

🛡️

TrustedSkills Verification

Unlike other registries that point to live repositories, TrustedSkills pins every skill to a verified commit hash. This protects you from malicious updates — what you install today is exactly what was reviewed and verified.

Security Audits

Gen Agent Trust HubPass
SocketPass
SnykPass

Details

Version
vlatest
License
Author
ghostsecurity
Installs
177
Repository (canonical source) →

🌐 Community

Passed automated security scans.