ワンクリックで
dep-audit
Audit dependency security risks
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Audit dependency security risks
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | dep-audit |
| description | Audit dependency security risks |
| allowed-tools | Bash(yarn audit *), Bash(npm audit *), Bash(pnpm audit *), Bash(npx *), Bash(bash *), Read, Glob |
/codex-security)/codex-review-fast)/codex-security)| Step | Goal | Safety |
|---|---|---|
| audit | Scan dependencies for vulnerabilities | read-only |
Failure behavior: report-all
$ARGUMENTS
--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate--fix — Attempt automatic fixUse Glob to check if .claude/scripts/dep-audit.sh exists in the project root.
bash .claude/scripts/dep-audit.sh $ARGUMENTS
Detect the project ecosystem and run the audit manually.
Ecosystem detection (check project root for manifest files):
| Manifest | Ecosystem | Audit Command | Fix Command |
|---|---|---|---|
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --audit-level {LEVEL} | pnpm audit --fix |
package.json + yarn.lock | Node (yarn) | yarn audit --level {LEVEL} | yarn audit --fix or npx yarn-audit-fix |
package.json | Node (npm) | npm audit --audit-level={LEVEL} | npm audit fix |
pyproject.toml | Python | pip-audit or safety check | pip-audit --fix |
Cargo.toml | Rust | cargo audit | cargo audit fix |
go.mod | Go | govulncheck ./... | (manual fix) |
build.gradle | Java | ./gradlew dependencyCheckAnalyze | (manual fix) |
Default {LEVEL} is moderate unless --level argument is provided.
If --fix is specified, run the fix command for the detected ecosystem after audit.
If no recognized manifest file exists, report an error.
## Audit Results
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |
## Vulnerability Details
### [severity] Issue Title
- **Package**: package-name
- **Fix**: Available / Not available
## Gate
✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities
/dep-audit
/dep-audit --level high
/dep-audit --fix
First-principles UI/IA reasoning: turns a `<scenario>` + API field set into JTBD analysis, principle-anchored field-priority decisions, anti-pattern findings, and a bidirectional UI↔API gap report. Trigger: UI、UX、資訊架構、IA、scenario-driven UI、欄位優先級、information hierarchy. Not for: visual/CSS work (use `/frontend-design`), post-build critique (use `/critique`), or simplifying existing layouts (use `/distill`).
Necessity audit for over-designed spec elements. Use when: auditing lifecycle spec (1-requirements / 2-tech-spec / 3-architecture) for YAGNI/KISS violations, challenging necessity of FRs/NFRs/abstractions/configs via Codex adversarial debate. Not for: FP reasoning validity (use /codex-review-spec), completeness check (use /feature-completeness), detail review (use /codex-review-doc), or code-level simplification (use /simplify).
Sequential squash-merge of stacked PR chains into an epic branch. Handles dependency-ordered rebase, collision-safe backup tags, CI monitoring (delegates to /watch-ci), and post-merge verification. Use when: merging a chain of stacked PRs into an epic branch, collapsing a linear PR stack into per-PR squash commits, preparing an epic branch for final review. Triggers on: 'merge PRs into epic', 'squash chain', 'collapse PR stack', 'epic merge', or when user has a linear PR dependency chain (PR A -> B -> C) targeting an epic branch. Not for: single PR merge (use /create-pr + GitHub UI), simple rebase (use /smart-rebase), pre-merge analysis (use /merge-prep). Output: chain analysis table + backup tag manifest + per-iteration AskUserQuestion gate + verification log.
Push to remote and monitor CI. Validates branch safety, executes git push WITH explicit user approval, then monitors CI run status via gh CLI. Use when: user says 'push', 'push and watch CI', 'ship it', 'push-ci'. Not for: committing (use /smart-commit), creating PRs (use /create-pr), merging (use /merge-prep).
Post-development recap wrapper. Use when: AI/Codex just finished implementing a feature and the user wants a guided walkthrough with scope detection + doc generation + follow-up Q&A. Not for: generating only a doc (use /recap-doc), Q&A over an existing recap (use /recap-ask), technical share-out (use /tech-brief), first-principles reasoning of an existing doc (use /fp-brief), general code tracing (use /code-explore). Output: ScopeReport → briefing-recap-<date>.md → interactive Q&A session.
Interactive Q&A over an existing recap document. Use when: user wants to ask follow-up questions about a briefing-recap-<date>.md produced by /recap-doc, with recap-bounded context + out-of-scope redirect + optional promote-to-request. Not for: generating a new recap (use /recap-doc), general project Q&A (use /ask), code tracing (use /code-explore). Output: per-turn answer referencing file:line + end-of-session promote prompt.