← Back to Skills

Supply Chain Risk Auditor

🌐Community
by trailofbits · vlatest · Repository

This AI audits your supply chains for potential risks like disruptions & vulnerabilities, ensuring business continuity and informed decision-making.

Install on your platform

We auto-selected Claude Code based on this skill’s supported platforms.

1

Run in terminal (recommended)

terminal
claude mcp add supply-chain-risk-auditor npx -- -y @trustedskills/supply-chain-risk-auditor
2

Or manually add to ~/.claude/settings.json

~/.claude/settings.json
{
  "mcpServers": {
    "supply-chain-risk-auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@trustedskills/supply-chain-risk-auditor"
      ]
    }
  }
}

Requires Claude Code (claude CLI). Run claude --version to verify your install.

About This Skill

What it does

This skill analyzes a project's dependencies to identify potential risks like vulnerabilities or takeovers. It evaluates each dependency against six criteria, including maintainer status, popularity, and security history. The skill then generates a structured markdown report outlining flagged dependencies, suggested alternatives, and actionable recommendations for improving supply chain security.

When to use it

  • Assessing dependency risk before a formal security audit.
  • Evaluating the overall attack surface of a project’s supply chain.
  • Identifying unmaintained or otherwise risky dependencies within a project.
  • As part of pre-engagement scoping when concerns about supply chain risks arise.

Key capabilities

  • Evaluates project dependencies against six risk criteria (single maintainers, unmaintained status, low popularity, high-risk features, past CVEs, missing security contacts).
  • Uses the gh CLI tool to retrieve accurate GitHub metrics for each dependency.
  • Generates a structured markdown report with flagged risks and recommendations.
  • Designed for pre-audit scoping and attack surface assessment.

Example prompts

  • "Audit this project's dependencies."
  • "Can you assess the supply chain risk of my current project?"
  • "Generate a dependency risk audit report."

Tips & gotchas

  • This skill is not intended for active vulnerability scanning; use tools like npm audit or pip-audit for that purpose.
  • The skill does not perform runtime dependency analysis.
  • It relies on the gh CLI tool to query GitHub data, so ensure it's properly configured.
View Repository →

Tags

🛡️

TrustedSkills Verification

Unlike other registries that point to live repositories, TrustedSkills pins every skill to a verified commit hash. This protects you from malicious updates — what you install today is exactly what was reviewed and verified.

Security Audits

Gen Agent Trust HubPass
SocketPass
SnykPass

Details

Version
vlatest
License
Author
trailofbits
Installs
81
Repository (canonical source) →

🌐 Community

Passed automated security scans.