AgentSkillsCN

dependency-audit

使用生态系统专用工具(npm audit、composer audit、pip-audit、cargo audit 等)审计项目依赖项中的已知漏洞。

SKILL.md
--- frontmatter
name: dependency-audit
description: Audit project dependencies for known vulnerabilities using ecosystem-specific tools (npm audit, composer audit, pip-audit, cargo audit, etc).
argument-hint: "[--fix] [ecosystem]"
user-invocable: true

Dependency Audit Skill

Overview

Run dependency vulnerability checks using native package manager audit tools.

Supported Ecosystems

EcosystemToolAuto-fix
npm/yarn/pnpm/bunnpm audit / yarn auditYes
PHP/Composercomposer auditManual
Python/pippip-audit / safety checkManual
Rust/Cargocargo auditYes
Gogovulncheck ./...Manual
Swift/CocoaPodspod auditManual
Ruby/Bundlerbundle auditManual

Workflow

  1. Detect package manager from lock files
  2. Run appropriate audit command
  3. Parse output for vulnerabilities
  4. Classify by severity (CRITICAL/HIGH/MEDIUM/LOW)
  5. Suggest fix versions or alternatives

Auto-Fix Support

When --fix flag is used:

  • npm audit fix for safe updates
  • cargo audit fix for Rust
  • Manual guidance for other ecosystems

References