一键在 Manus 中运行任何 Skill

supply-chain-protection

One-time setup of supply-chain protections for a project. Detects the package manager (npm, pnpm, Yarn, Bun), installs Socket Firewall (sfw), configures a 48-hour minimum package release age, and writes persistent dependency rules to CLAUDE.md. Use when the user mentions supply chain protection, dependency security, securing packages, malicious dependencies, typosquatting defense, "setup sfw", Socket Firewall, package release age, or wants to harden their project against compromised npm/pnpm/yarn/bun packages — even if they don't use these exact terms.

在 Manus 中运行

星标27

分支2

更新时间2026年4月13日 20:40

来源

Vesely

Vesely/skills

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

信息安全分析师计算机与数学类职业15-1212L4

文件资源管理器

2 个文件

SKILL.md

readonly

name	supply-chain-protection
description	One-time setup of supply-chain protections for a project. Detects the package manager (npm, pnpm, Yarn, Bun), installs Socket Firewall (sfw), configures a 48-hour minimum package release age, and writes persistent dependency rules to CLAUDE.md. Use when the user mentions supply chain protection, dependency security, securing packages, malicious dependencies, typosquatting defense, "setup sfw", Socket Firewall, package release age, or wants to harden their project against compromised npm/pnpm/yarn/bun packages — even if they don't use these exact terms.
allowed-tools	["Read","Write","Edit","Glob","Grep","Bash(npm install:)","Bash(npx:)","Bash(sfw:)","Bash(which:)","Bash(command:)","Bash(pnpm:)","Bash(yarn:)","Bash(bun:)"]
context	fork

Supply-Chain Protection Setup

One-time project setup to harden dependency management against supply-chain attacks.

Idempotency

Before each step, check if the expected state already exists. If sfw is installed, the config already has the release-age setting, or CLAUDE.md already contains the "Dependency Supply-Chain Protection" section — skip that step and note it in the summary. This makes the skill safe to re-run without duplicating work.

Goal

Configure the repository so all dependency operations use Socket Firewall (sfw) and enforce a 48-hour minimum release age policy on packages.

Steps

1. Detect Package Manager

Inspect the repository for lockfiles and config, starting at the repo root and falling back to the current working directory:

Signal	Package Manager
`pnpm-lock.yaml`	pnpm
`yarn.lock` + `.yarnrc.yml`	Yarn Berry (2+)
`yarn.lock` without `.yarnrc.yml`	Yarn Classic (1.x)
`bun.lock` / `bun.lockb` / `bunfig.toml`	Bun
`package-lock.json`	npm

If multiple signals exist, pick the one actually used in scripts / CI. For monorepos, apply config at the workspace root level. Report the decision before proceeding.

Success criteria: Package manager identified and stated.

2. Install Socket Firewall

Run command -v sfw to check if sfw is already available.
If missing, install globally: npm i -g sfw
- If the global install fails with EACCES, suggest npm i -g sfw --prefix ~/.local or ask the user for their preferred approach.
Verify with sfw --version.

Success criteria: sfw command is available and version is confirmed.

3. Configure 48-Hour Minimum Release Age

Apply native config for the detected package manager. Preserve existing content in all config files.

If a release-age setting already exists, keep the existing value — the user may have intentionally chosen a shorter or longer period. Only add the setting if it is missing.

pnpm — update .npmrc (pnpm reads release-age settings from .npmrc, not pnpm-workspace.yaml):

minimum-release-age=2880

Yarn Berry (2+) — update .yarnrc.yml:

npmMinimalAgeGate: "2d"

Yarn Classic (1.x) — no native release-age setting exists. Skip config changes. Recommend the user migrate to pnpm or Bun for native release-age enforcement. Note this in the summary.

Bun — update bunfig.toml:

[install]
minimumReleaseAge = 172800

npm (v11.10.0+) — update .npmrc:

min-release-age=2

Note: the unit is days (not minutes or seconds). There is a known bug where tilde (~) version ranges may conflict with this setting. If npm is older than v11.10.0, skip config changes and note the limitation in the summary.

Rules:

Do not invent settings the package manager does not support.
Do not remove unrelated existing config.
Preserve formatting when practical.

Success criteria: Config file updated (or skipped for npm) with the correct minimum-age setting.

4. Verify Setup

Run a quick smoke test to confirm the setup works end-to-end. For example:

sfw <pm> add is-odd --dry-run

This confirms sfw wraps the package manager correctly and the release-age config is picked up. If the dry-run fails, diagnose and fix before proceeding.

Success criteria: Dry-run install completes without errors under sfw.

5. Update CLAUDE.md

Create or update CLAUDE.md in the project root. If the file exists, first check whether a "Dependency Supply-Chain Protection" section already exists — if so, skip this step. Otherwise, append the section; do not overwrite existing content.

Substitute all {{...}} placeholders with the actual detected values before writing.

## Dependency Supply-Chain Protection

Always prefix dependency commands with `sfw` (Socket Firewall).
Applies to install, add, update, upgrade, remove — any command that changes dependencies.

Examples: `sfw {{DETECTED_PM}} add <pkg>`, `sfw {{DETECTED_PM}} update <pkg>`.

Do not bypass `sfw` unless the human explicitly instructs it.

Success criteria: CLAUDE.md contains the supply-chain section with correct operational notes (no unsubstituted placeholders).

6. Summary

Output a concise summary:

Detected package manager
Whether sfw was installed or already present
Which config file was changed (or "none" for npm)
Whether the dry-run verification passed
How the 48-hour rule is enforced
Steps that were skipped (already configured)
Any limitations

If something went wrong, note which changes were made so the user can revert via git checkout if needed.

Success criteria: User sees a clear summary of all changes.

同仓库更多 Skills

同仓库

tldr

Vesely/skills

Compress the previous assistant response into a single TL;DR line, then propose exactly three terse next-step labels (≤8 words each, slash commands welcome) the user can take. Use whenever the user types `/tldr`, `/recap`, says "tldr", "tl;dr", "summarize and suggest next steps", "recap that", "what should I do next", "give me the gist", or otherwise asks for a quick summary of what was just said plus suggestions for what to do next. Trigger even when the user phrases it casually ("ok so what now?", "give me the short version + next steps") — this skill exists exactly for those moments where a long answer needs distilling and a clear handoff to action.

2026-05-1027

ai-gateway

Vesely/skills

Generate text, images, and video from the CLI via the Vercel AI Gateway (one key, hundreds of models).

2026-05-0127

cursor-agent

Vesely/skills

Delegate a task to Cursor's CLI agent (code review, Q&A, planning) for a second opinion from a non-Claude model

2026-04-2727

use-skill

Vesely/skills

Fetch and execute a remote skill on-the-fly without installing it permanently. Use when the user wants to try a skill once, run a skill from GitHub, use a remote skill without installing, or mentions "use-skill", "run remote skill", "try this skill", "fetch skill", "one-time skill", or provides a GitHub URL/shorthand pointing to a skill they want to execute. This is the go-to skill whenever someone wants to use a skill they haven't installed locally. Also use when the user mentions skills.sh or wants to search for available skills.

2026-04-1427

catbox

Vesely/skills

Upload files to catbox.moe for free, anonymous hosting with direct links. Use when the user wants to upload an image, video, or any file to catbox, host a file online, get a direct link to a file, or mentions "catbox", "catbox.moe", "upload to catbox", "host file", or wants a permanent direct URL for a file.

2026-04-1327

context-audit

Vesely/skills

Audit your Claude Code setup for token waste and context bloat. Use when the user says "audit my context", "check my settings", "why is Claude so slow", "token optimization", "context audit", or runs /context-audit. Starts by running /context to see real overhead, then audits MCP servers, CLAUDE.md rules, skills, settings, and file permissions. Returns a health score with specific fixes.

2026-04-1327

name	supply-chain-protection
description	One-time setup of supply-chain protections for a project. Detects the package manager (npm, pnpm, Yarn, Bun), installs Socket Firewall (sfw), configures a 48-hour minimum package release age, and writes persistent dependency rules to CLAUDE.md. Use when the user mentions supply chain protection, dependency security, securing packages, malicious dependencies, typosquatting defense, "setup sfw", Socket Firewall, package release age, or wants to harden their project against compromised npm/pnpm/yarn/bun packages — even if they don't use these exact terms.
allowed-tools	["Read","Write","Edit","Glob","Grep","Bash(npm install:)","Bash(npx:)","Bash(sfw:)","Bash(which:)","Bash(command:)","Bash(pnpm:)","Bash(yarn:)","Bash(bun:)"]
context	fork

Supply-Chain Protection Setup

One-time project setup to harden dependency management against supply-chain attacks.

Idempotency

Goal

Configure the repository so all dependency operations use Socket Firewall (sfw) and enforce a 48-hour minimum release age policy on packages.

Steps

1. Detect Package Manager

Inspect the repository for lockfiles and config, starting at the repo root and falling back to the current working directory:

Signal	Package Manager
`pnpm-lock.yaml`	pnpm
`yarn.lock` + `.yarnrc.yml`	Yarn Berry (2+)
`yarn.lock` without `.yarnrc.yml`	Yarn Classic (1.x)
`bun.lock` / `bun.lockb` / `bunfig.toml`	Bun
`package-lock.json`	npm

If multiple signals exist, pick the one actually used in scripts / CI. For monorepos, apply config at the workspace root level. Report the decision before proceeding.

Success criteria: Package manager identified and stated.

2. Install Socket Firewall

Run command -v sfw to check if sfw is already available.
If missing, install globally: npm i -g sfw
- If the global install fails with EACCES, suggest npm i -g sfw --prefix ~/.local or ask the user for their preferred approach.
Verify with sfw --version.

Success criteria: sfw command is available and version is confirmed.

3. Configure 48-Hour Minimum Release Age

Apply native config for the detected package manager. Preserve existing content in all config files.

If a release-age setting already exists, keep the existing value — the user may have intentionally chosen a shorter or longer period. Only add the setting if it is missing.

pnpm — update .npmrc (pnpm reads release-age settings from .npmrc, not pnpm-workspace.yaml):

minimum-release-age=2880

Yarn Berry (2+) — update .yarnrc.yml:

npmMinimalAgeGate: "2d"

Yarn Classic (1.x) — no native release-age setting exists. Skip config changes. Recommend the user migrate to pnpm or Bun for native release-age enforcement. Note this in the summary.

Bun — update bunfig.toml:

[install]
minimumReleaseAge = 172800

npm (v11.10.0+) — update .npmrc:

min-release-age=2

Rules:

Do not invent settings the package manager does not support.
Do not remove unrelated existing config.
Preserve formatting when practical.

Success criteria: Config file updated (or skipped for npm) with the correct minimum-age setting.

4. Verify Setup

Run a quick smoke test to confirm the setup works end-to-end. For example:

sfw <pm> add is-odd --dry-run

This confirms sfw wraps the package manager correctly and the release-age config is picked up. If the dry-run fails, diagnose and fix before proceeding.

Success criteria: Dry-run install completes without errors under sfw.

5. Update CLAUDE.md

Substitute all {{...}} placeholders with the actual detected values before writing.

## Dependency Supply-Chain Protection

Always prefix dependency commands with `sfw` (Socket Firewall).
Applies to install, add, update, upgrade, remove — any command that changes dependencies.

Examples: `sfw {{DETECTED_PM}} add <pkg>`, `sfw {{DETECTED_PM}} update <pkg>`.

Do not bypass `sfw` unless the human explicitly instructs it.

Success criteria: CLAUDE.md contains the supply-chain section with correct operational notes (no unsubstituted placeholders).

6. Summary

Output a concise summary:

Detected package manager
Whether sfw was installed or already present
Which config file was changed (or "none" for npm)
Whether the dry-run verification passed
How the 48-hour rule is enforced
Steps that were skipped (already configured)
Any limitations

If something went wrong, note which changes were made so the user can revert via git checkout if needed.

Success criteria: User sees a clear summary of all changes.