Skip to main content

Supply Chain Risk Auditor

Plugin Active
Part of:Trailofbits

Audit supply-chain threat landscape of project dependencies for exploitation or takeover risk

1 Skill 0 MCPs
Purpose

To help users identify and mitigate supply chain threats within their project's dependencies by flagging high-risk factors and suggesting safer alternatives.

Features

  • Analyzes direct project dependencies for supply chain risk factors.
  • Uses 'gh' CLI for comprehensive data gathering on dependencies.
  • Identifies dependencies with single maintainers, unmaintained status, low popularity, high-risk features, past CVEs, or missing security contacts.
  • Generates a detailed report with risk assessments and suggested alternatives.

Use Cases

  • Assessing the security posture of project dependencies.
  • Identifying potential vulnerabilities in the software supply chain.
  • Making informed decisions about replacing risky dependencies.
  • Scoping security engagements related to supply chain risks.

Non-Goals

  • Performing active vulnerability scanning (e.g., CVE detection in source code).
  • Analyzing runtime dependencies.
  • Auditing license compliance.
  • Replacing dedicated security auditing tools.

Trust

  • warning:Issues AttentionThere are 13 issues opened and 4 closed in the last 90 days, resulting in a closure rate of approximately 24%, indicating slow response to open issues.

Installation

First, add the marketplace

/plugin marketplace add trailofbits/skills
/plugin install supply-chain-risk-auditor@trailofbits

Contains 1 extensions

Skill (1)

Supply Chain Risk Auditor Skill

Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.

78

Quality Score

77 /100
Analyzed about 11 hours ago

Trust Signals

Last commit3 days ago
GitHub owner trailofbits (opens in new tab)
Stars5.2k
LicenseCC-BY-SA-4.0
Status
View Source

Similar Extensions

Dotforge

100

Node.js 20+ with Express/Fastify, TypeScript, and ESM module rules for Claude Code.

Plugin
luiseiman

Review Agent Governance

99

Require a human approval signal before an AI agent can post PR reviews, comments, merges, or writes to CI config. Cedar-gated, receipt-signed, designed for the Hermes-style failure mode where a review bot posts without oversight.

Plugin
wshobson

HubSpot Admin Skills

99

Complete HubSpot CRM administration toolkit — audit, clean, enrich, segment, automate, and maintain your database

Plugin
TomGranot

© 2025 SkillRepo · Find the right skill, skip the noise.