Dependency Check
Skill ActiveScan project dependencies for known vulnerabilities and CVEs
Scan project dependencies to identify and address known vulnerabilities and CVEs, ensuring the security and health of the software supply chain.
Features
- Scan project dependencies for vulnerabilities and CVEs
- Provide severity levels for identified vulnerabilities
- Offer auto-fix capability for vulnerabilities
- Support continuous monitoring via MCP
Use Cases
- Use when preparing for a release to ensure no critical vulnerabilities are present.
- Use as part of a CI/CD pipeline to automatically check for new CVEs.
- Use to proactively identify and schedule fixes for high and moderate severity vulnerabilities.
Non-Goals
- Performing deep code analysis for security flaws not related to dependency versions.
- Managing software licenses or compliance issues.
- Scanning for vulnerabilities in deployed applications.
Workflow
- Identify project dependencies
- Scan dependencies for known vulnerabilities and CVEs using CLI tools
- Categorize findings by severity
- Optionally attempt to auto-fix vulnerabilities
- Report findings and status
Practices
- Security Auditing
- Dependency Management
Prerequisites
- Node.js and npm installed
- Project with a package.json
Trust
- warning:Issues AttentionWith 68 open and 373 closed issues in the last 90 days, the closure rate is likely below 50% indicating slow response times.
Installation
First, add the marketplace
/plugin marketplace add ruvnet/ruflo/plugin install ruflo-security-audit@rufloQuality Score
Trust Signals
Similar Extensions
Vector Setup
100First-run setup for ruvector@0.2.25 — installs ONNX/Brain/SONA add-ons, registers the MCP server, and verifies the install via `doctor`
Audit Dependency Versions
100Audit project dependencies for version staleness, security vulnerabilities, and compatibility issues. Covers lock file analysis, upgrade path planning, and breaking change assessment. Use before a release to ensure dependencies are current and secure, during periodic maintenance reviews, after receiving a security advisory, when upgrading to a new language version, before submitting to CRAN or npm, or when inheriting a project to assess its dependency health.
Clawsec Scanner
100Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific DAST hook execution testing for OpenClaw hooks.
Dependency Management
98Manage third-party libraries, runtimes, and SaaS dependencies. Use this skill when setting an update cadence, responding to security advisories, dealing with deprecated dependencies, evaluating new dependencies, auditing what's installed, or unblocking a dependency upgrade. Triggers on dependency, package update, security patch, lockfile, deprecated, breaking change, supply chain, dependency audit, npm audit, dependabot, renovate. Also triggers when a build breaks after an update or when an advisory is published for a used package.
Update Deps
98Audit and update npm/Bun dependencies with supply chain integrity checks — verifies maintainers, publish age, tarball diffs, and provenance before bumping. Defers risky packages to ~/.supply-chain/notes/.
Cleanup Cycles
100Detect and untangle circular dependencies. Runs madge/skott (TS), pycycle (Py), or compiler-only checks (Go/Rust). Auto-fixes leaf-extractable cycles; reports core cycles for human review. Use when the user asks to find circular imports, fix dependency cycles, or untangle module graph. Example queries — "find circular imports", "fix dependency cycles", "untangle our module graph", "why is madge complaining".