| name | dependency-audit |
| display_name | Dependency Audit |
| description | Audits dependency files and package changes for vulnerable packages, risky upgrades, license concerns, and supply-chain exposure. |
| category | code-quality |
| version | 1.0.0 |
| tags | ["dependencies","supply-chain","security","licenses","maintenance"] |
| providers | ["claude-code","codex","copilot","openclaw","hermes-agent"] |
| author | agent-skills contributors |
Dependency Audit
Use this skill when reviewing changes to package manifests, lockfiles, container base images, GitHub Actions, language toolchains, or third-party SDKs.
Inputs
- Changed dependency files such as
package.json, lockfiles, pyproject.toml, requirements.txt, go.mod, Cargo.toml, Gemfile, Dockerfiles, or workflow YAML
- Project language, runtime, deployment target, and risk tolerance
Steps
- Identify added, removed, upgraded, and downgraded dependencies.
- Check whether new dependencies are necessary or duplicate existing capability.
- Review package reputation signals: maintainer, activity, license, transitive footprint, native code, install scripts, and known ecosystem risk.
- Look for risky version changes: major upgrades, downgrades, unpinned versions, broad ranges, prerelease packages, or unexpected lockfile churn.
- Inspect build and install hooks for arbitrary code execution or network access.
- Check license compatibility and note unknown or restrictive licenses.
- Review container and CI dependencies for overprivileged images, mutable tags, deprecated actions, or untrusted third-party actions.
- Recommend safer alternatives, pinning, upgrade sequencing, or additional validation.
Output
Provide:
- Dependency change summary
- Risk table with package/action/image, change, risk, and recommendation
- Required follow-up checks such as audit commands, SBOM generation, or license review
- Merge recommendation: accept, accept with follow-up, or block
Guidelines
- Do not claim a package is vulnerable without evidence from available context.
- Treat unexpected lockfile churn as a review signal.
- Prefer reducing dependency count when a small local implementation is safer.